Summary Cybersecurity is a priority at Tridium. We are dedicated to continuously improving the security of our products, and we will continue to update you as we release new security features, enhancements, and updates. DISCLAIMERS
Security Bulletin# SB 2019-Tridium-3
CVSS v3.0 Base Score: 4.4 (AV:L/AC:L/PR:H/UI:N/S:U/
Defect# HAREMB-1220
CVSS v3.0 Base Score: 8.0 (AV:L/AC:H/PR:H/UI:N/S:C/
Defect# HAREMB-1221
Two vulnerabilities have been discovered in the QNX operating system images distributed by Tridium.
The first vulnerability is related to a vulnerability that could allow a less privileged process to gain read access to privileged files.
The second is related to a vulnerability in the QNX procfs service that could allow a less privileged process to gain access to a chosen process’s address space.
The following supported platforms are impacted:
NOTE: Niagara Windows and Linux Supervisor installations are not impacted.
We have updated the QNX OS images to remove the vulnerability and recommend that users update to the versions identified below:
Recommended Action
Tridium has released new updates that mitigate these vulnerabilities.
Product
QNX Patches
Niagara AX 3.8u4
OS Dist: 2.7.402.2
NRE Config Dist: 3.8.401.1
Niagara 4.4u3
OS Dist: 4.4.73.38.1 NRE Config Dist: 4.4.94.14.1
Niagara 4.7u1
OS Dist: (JACE 8000) 4.7.109.16.1
OS Dist (Edge 10): 4.7.109.18.1 NRE Config Dist: 4.7.110.32.1
These updates are available by contacting your sales support channel or by contacting the Tridium support team at support@tridium.com.
It is important that all Niagara customers for all supported platforms update their systems with these releases to mitigate risk. If you have any questions, please contact your Tridium account manager or contact Customer Support via support@tridium.com.
Mitigation
In addition to updating your system, Tridium recommends that customers with affected products take the following protective steps:
Appendix: About CVSS
The Common Vulnerability Scoring System (CVSS) is an open standard for communicating the characteristics and severity of software vulnerabilities. The Base score represents the intrinsic qualities of a vulnerability. The Temporal score reflects the characteristics of a vulnerability that change over time. The Environmental score is an additional score that can be used by CVSS, but is not supplied as it will differ for each customer. The Base score has a value ranging from 0 to 10. The Temporal score has the same range and is a modification of the Base score due to current temporary factors. The severity of the score can be summarized as follows:
Severity Rating
CVSS Score
None
0.0
Low
0.1 – 3.9
Medium
4.0 – 6.9
High
7.0 -8.9
Critical
9.0 – 10.0
A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score.
Detailed information about CVSS can be found at http://www.first.org/cvss.
Tridium’s latest advancement means you can protect the enterprise from losing valuable Niagara station and configuration data, and manage your Niagara licenses from one online location. Introducing Niagara Cloud, a growing suite of services that can help you leverage the Internet of Things in new and powerful ways. Backup as a Service: With BaaS, easily configure your Niagara stations to do automated secure backups to the cloud. BaaS is available to Niagara 4.3 users with a current Software Maintenance Agreement (SMA) at no additional cost. Asset Manager: ?You can access device backups and track your Niagara software maintenance expirations using our exciting new asset manager tool, live on the Niagara Community website. ? Contact us for more information.
Dear valued VYKON Partner, Tridium has released the third version of Niagara 4. Niagara 4.3 introduces enhancements that make it easier to manage and deploy templates, along with several other new features. Most notable about this release are the significant innovations built on Niagara 4.3, including:
* Backup as a Service (BaaS), our first Niagara Cloud offering launching in mid-July
* VYKON Integrated Analytics 2.0u2, with analytic chart enhancements and key defect fixes
* Support for JACE® 8000 IO R in both a 16 and 34 point module
* JACE 8000 expansion module Hardware Development Kit (HDK), new for developers
Niagara 4.3: Building upon improvements offered by Niagara 4.2u1, Niagara 4.3 offers enhancements that make it easier to manage and deploy templates, and a new Abstract Manager Framework for creating custom manager views. This release fixes the issues with Windows 10 service pack updates changing Host IDs.
Click here to download the features overview, and visit tridium.com to compare Niagara versions.
Backup as a Service: With the release of Niagara 4.3, we make it easy for you to back up your data—at no additional cost. Having an up-to-date Software Maintenance Agreement (SMA) allows immediate access to our new Backup as a Service (BaaS) when it launches in mid-July. BaaS will provide seamless, secure and scalable backups of Niagara to the cloud–24/7/365.
Asset manager tool: You will be able to access device backups via BaaS using our exciting new asset manager tool, to be introduced soon on the Niagara Community website.
Beyond accessing device backups via BaaS, the asset manager tool will help you simplify license management and recoup valuable time. Other key advantages include:
* Automatic push notifications of maintenance expirations and renewals
* Centralized, brand-agnostic view of all Niagara license information
* Easy access to specific device details through filters
* Single login using your Niagara Community credentials
* VYKON Integrated Analytics 2.0u2
The second VYKON Integrated Analytics 2.0 update has been released with Niagara 4.3. VYKON Integrated Analytics 2.0u2 offers even more potential for systems integrators to differentiate themselves and build a trusted partnership with their customers by engaging in analytics as a continual process.
VYKON Integrated Analytics 2.0u2 features:
* Chart enhancements
* All analytic charts have a configurable font property
* Equipment Operation chart has a configurable property to show or hide Off status bar
* Key defect fixes for analytic charts
* JACE 8000 IO R
Niagara 4.3 supports IO R on the JACE 8000. IO R allows the JACE 8000 to interface directly with simple non-intelligent inputs and outputs remotely located up to 4,000 feet from the JACE.
IO R makes the JACE 8000 more powerful and your migration path straightforward. Enjoy ease of use, enhanced capability, improved flexibility and minimal wiring labor—plus:
* Updated NDIO to NRIO conversion tool to support new JACE 8000 IO R modules
* Programmable Default states for Analog and Digital Outputs
* More information to come soon.
This year’s Summit will bring the opportunity to attend information-packed breakout sessions led by Niagara experts, a robust trade show filled with BAS and IoT industry leaders, and networking with others in the Niagara Community. We’ve just announced breakout sessions for the Developer Bootcamp, and the Business and Applications tracks. Some of the topics will include:
* Migrating from Niagara AX to Niagara 4, Building Niagara 4, Developing with
Niagara 4
* Niagara Enterprise Applications, Open Smart Building Design & Commissioning, Edge to Cloud, Niagara Deployment Models, Cyber Security, Niagara Analytics
* Data Modeling, Intro to Niagara Development, Data Modeling, Templates, Web Technology
And many more!
Visit NiagaraSummit.com today for an overview and description of all breakout sessions. And, don’t forget… time is running out to take advantage of Early Bird registration! Register before February 29 to take advantage of discounted pricing.
If you have any questions about registration, contact Ken or Dave Smyers for more imformation and group discounts! For available sponsorship opportunities, please email us at niagarasummit@tridium.com. We’re looking forward to seeing the Niagara Community in New Orleans!
Sincerely,
Jenny Graves
VP, Global Marketing Communications
Tridium Inc.
P.S. … Need help convincing your boss? Just copy, paste and start looking for flights to New Orleans…
Attending Niagara Summit 2016 will be a tremendous opportunity for the organization and for me. Here are a few reasons why:
* I will have a chance to learn about the latest innovations in the Niagara Framework®.
* I will learn to optimize our use of the Niagara platform through expanded application possibilities, lowered costs, increased efficiency and maximized integration.
* I will attend enlightening keynotes from industry leaders and experts.
* I will walk away with a clear, informed strategy for our Niagara solutions and my own professional growth.
Tridium product marketing specialist Emily Weisensale and senior product manager Jonathan Rodriguez review what Niagara Community members need to know to be ready for the launch of Niagara 4. We offer several training options based on your credentials and role within your organization: For those who are Niagara AX certified, we have opened the Niagara 4 Cross-Over Web-based training and certification course. This is a self-paced, 12-hour e-learning course that can be completed online anytime, anywhere. (Part # TRN-DLS-N4-WBT) See below:
The course agenda includes:
Introduction to Niagara Distance Learning
Niagara 4 Product Summary
New Update: Niagara 4.1 Hardware Summary (JACE 8000)
Niagara AX to Niagara 4 Migration Tools
Niagara 4 Entity Model (Tagging, Hierarchy, Relationships, etc.)
Niagara 4 Search Functions
Niagara 4 System Architecture
Niagara 4 Charting Functions
Niagara 4 Security & User Administration
Niagara 4 HTML5 Views
Niagara 4 Dashboards
Certification Exam – Niagara 4 Technical Certification
For new users or those who are not certified, we will be offering a Niagara 4 Technical Certification Program (TCP). This will be a 5-day, instructor-led training and certification program offered worldwide this fall. (Part # TRN-CRS-N4-TCP) To register for a class, click here: Niagara 4 ILT Technical Certification Training