NOTE: Niagara Windows and Linux Supervisor installations are not impacted.
We have updated the QNX OS images to remove the vulnerability and recommend that users update to the versions identified below:
Tridium has released new updates that mitigate these vulnerabilities.
Niagara AX 3.8u4
OS Dist: 2.7.402.2
NRE Config Dist: 3.8.401.1
OS Dist: 18.104.22.168.1 NRE Config Dist: 22.214.171.124.1
OS Dist: (JACE 8000) 126.96.36.199.1
OS Dist (Edge 10): 188.8.131.52.1 NRE Config Dist: 184.108.40.206.1
These updates are available by contacting your sales support channel or by contacting the Tridium support team at firstname.lastname@example.org.
It is important that all Niagara customers for all supported platforms update their systems with these releases to mitigate risk. If you have any questions, please contact your Tridium account manager or contact Customer Support via email@example.com.
In addition to updating your system, Tridium recommends that customers with affected products take the following protective steps:
Review and validate the list of users who are authorized and who can authenticate to Niagara.
Allow only trained and trusted persons to have physical access to the system, including devices that have connection to the system though the Ethernet port.
If remote connections to the network are required, consider using a VPN or other means to ensure secure remote connections into the network where the system is located.
Cybersecurity is a priority at Tridium. We are dedicated to continuously improving the security of our products, and we will continue to update you as we release new security features, enhancements, and updates.
Appendix: About CVSS
The Common Vulnerability Scoring System (CVSS) is an open standard for communicating the characteristics and severity of software vulnerabilities. The Base score represents the intrinsic qualities of a vulnerability. The Temporal score reflects the characteristics of a vulnerability that change over time. The Environmental score is an additional score that can be used by CVSS, but is not supplied as it will differ for each customer. The Base score has a value ranging from 0 to 10. The Temporal score has the same range and is a modification of the Base score due to current temporary factors. The severity of the score can be summarized as follows:
0.1 – 3.9
4.0 – 6.9
9.0 – 10.0
A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score.
Detailed information about CVSS can be found at http://www.first.org/cvss.
CUSTOMERS AND USERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
YOUR USE OF THE INFORMATION IN THIS DOCUMENT OR MATERIALS LINKED FROM THIS DOCUMENT IS AT YOUR OWN RISK.
TRIDIUM RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME AND WITHOUT NOTICE.
TRIDIUM PROVIDES THE CVSS SCORES ‘AS IS’ WITHOUT WARRANTY OF ANY KIND. TRIDIUM DISCLAIMS THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PURPOSE AND MAKES NO EXPRESS WARRANTIES EXCEPT AS MAY BE STATED IN A WRITTEN AGREEMENT WITH AND FOR ITS CUSTOMERS
IN NO EVENT WILL TRIDIUM BE LIABLE TO ANYONE FOR ANY DIRECT, INDIRECT. SPECIAL, OR CONSEQUENTIAL DAMAGES.
Latest version 1.1 includes advanced data visualization module! VYKON Integrated Analytics broke new ground when it was introduced. This innovative product uses real-time analytics at the edge (device level) to harness the enormous power of the Internet of Things.
Today, Niagara users are even better positioned to capitalize on the IoT data explosion. Niagara AX Supervisors and select JACE® controllers now feature the latest version of VYKON Integrated Analytics with advanced data visualization.
Key advantages of the latest version:
* Available on JACE 600 series and Niagara AX Supervisors
* Offered with Niagara Analytics Explorer, an advanced data visualization module
* Supports a wide array of third-party visualization packages
* Includes e-learning training option
Introducing e-learning: Tridium is debuting an analytics e-learning training and virtual certification for Niagara AX-certified professionals, available with this version release.
Instructional video: Be sure to check out, “How to bring data to life using widgets and visualization tools.” This tech tip, and associated workstation available with purchase of VYKON Integrated Analytics, is presented by recognized industry expert James Johnson. (Niagara Community log in required)
VIEW TECH TIP VIDEO: Click to download the original VYKON Integrated Analytics brochure for comprehensive product information. Visit our website for more about how VYKON Integrated Analytics can help you turn big data into a big opportunity.