cvelistv5 - cve-2016-8365

CVE-2016-8365 (GCVE-0-2016-8365)

Vulnerability from cvelistv5 – Published: 2018-04-03 14:00 – Updated: 2024-09-16 16:58

Summary

OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Severity ?

No CVSS data available.

CWE

CWE-437 - Incomplete model of enpoint features CWE-437

Assigner

icscert

References

URL

Tags

	https://techsupport.osisoft.com/Troubleshooting/A…	x_refsource_CONFIRM
	https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03	x_refsource_MISC
	http://www.securityfocus.com/bid/94165	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	OSIsoft	PI System software	Affected: Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0 Affected: Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6 Affected: PI Buffer Subsystem, versions prior to and including, Version 4.4 Affected: PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:20:30.968Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03"
          },
          {
            "name": "94165",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/94165"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PI System software",
          "vendor": "OSIsoft",
          "versions": [
            {
              "status": "affected",
              "version": "Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0"
            },
            {
              "status": "affected",
              "version": "Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6"
            },
            {
              "status": "affected",
              "version": "PI Buffer Subsystem, versions prior to and including, Version 4.4"
            },
            {
              "status": "affected",
              "version": "PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64."
            }
          ]
        }
      ],
      "datePublic": "2016-10-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-437",
              "description": "Incomplete model of enpoint features CWE-437",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-04-04T09:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03"
        },
        {
          "name": "94165",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/94165"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2016-10-11T00:00:00",
          "ID": "CVE-2016-8365",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "PI System software",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0"
                          },
                          {
                            "version_value": "Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6"
                          },
                          {
                            "version_value": "PI Buffer Subsystem, versions prior to and including, Version 4.4"
                          },
                          {
                            "version_value": "PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64."
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "OSIsoft"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Incomplete model of enpoint features CWE-437"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308",
              "refsource": "CONFIRM",
              "url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03"
            },
            {
              "name": "94165",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/94165"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2016-8365",
    "datePublished": "2018-04-03T14:00:00Z",
    "dateReserved": "2016-09-28T00:00:00",
    "dateUpdated": "2024-09-16T16:58:56.438Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:osisoft:pi_af_client:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.8.0\", \"matchCriteriaId\": \"5EA643EA-A95B-4444-971A-EDB0E533BBFB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:osisoft:pi_buffer_subsystem:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"4.5.0\", \"matchCriteriaId\": \"9036F577-4915-4DF5-A7BA-E79AFE4CCD9C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:osisoft:pi_data_archive:*:*:*:*:2016:*:*:*\", \"versionEndExcluding\": \"3.4.400.1162\", \"matchCriteriaId\": \"C57078BD-6694-4886-8859-EAC579E2B764\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:osisoft:pi_sdk:*:*:*:*:2016:*:*:*\", \"versionEndExcluding\": \"1.4.6\", \"matchCriteriaId\": \"FE61884E-9FC3-4DA7-8FBB-63CA74F7CD86\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)\"}, {\"lang\": \"es\", \"value\": \"El software OSIsoft PI System, en aplicaciones que emplean PI Asset Framework (AF) Client en versiones anteriores a PI AF Client 2016 2.8.0; aplicaciones que emplean PI Software Development Kit (SDK) en versiones anteriores a PI SDK 2016 1.4.6; PI Buffer Subsystem, en versiones anteriores a (e incluyendo) 4.4; y PI Data Archive en versiones anteriores a PI Data Archive 2015 3.4.395.64, opera entre endpoints sin un modelo completo de caracter\\u00edsticas de endpoint. Esto podr\\u00eda provocar que el producto realice acciones basado en este modelo incompleto, desembocando en una denegaci\\u00f3n de servicio. OSIsoft informa que, para explotar esta vulnerabilidad, un atacante necesitar\\u00eda estar conectado localmente a un servidor. Se ha calculado una puntuaci\\u00f3n CVSS v3 base de 7.1; la cadena de vector CVSS es (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).\"}]",
      "id": "CVE-2016-8365",
      "lastModified": "2024-11-21T02:59:13.820",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 2.1, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.9, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2018-04-03T14:29:00.247",
      "references": "[{\"url\": \"http://www.securityfocus.com/bid/94165\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/94165\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-437\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2016-8365\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2018-04-03T14:29:00.247\",\"lastModified\":\"2024-11-21T02:59:13.820\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)\"},{\"lang\":\"es\",\"value\":\"El software OSIsoft PI System, en aplicaciones que emplean PI Asset Framework (AF) Client en versiones anteriores a PI AF Client 2016 2.8.0; aplicaciones que emplean PI Software Development Kit (SDK) en versiones anteriores a PI SDK 2016 1.4.6; PI Buffer Subsystem, en versiones anteriores a (e incluyendo) 4.4; y PI Data Archive en versiones anteriores a PI Data Archive 2015 3.4.395.64, opera entre endpoints sin un modelo completo de caracter\u00edsticas de endpoint. Esto podr\u00eda provocar que el producto realice acciones basado en este modelo incompleto, desembocando en una denegaci\u00f3n de servicio. OSIsoft informa que, para explotar esta vulnerabilidad, un atacante necesitar\u00eda estar conectado localmente a un servidor. Se ha calculado una puntuaci\u00f3n CVSS v3 base de 7.1; la cadena de vector CVSS es (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":2.1,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-437\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:osisoft:pi_af_client:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.8.0\",\"matchCriteriaId\":\"5EA643EA-A95B-4444-971A-EDB0E533BBFB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:osisoft:pi_buffer_subsystem:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.5.0\",\"matchCriteriaId\":\"9036F577-4915-4DF5-A7BA-E79AFE4CCD9C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:osisoft:pi_data_archive:*:*:*:*:2016:*:*:*\",\"versionEndExcluding\":\"3.4.400.1162\",\"matchCriteriaId\":\"C57078BD-6694-4886-8859-EAC579E2B764\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:osisoft:pi_sdk:*:*:*:*:2016:*:*:*\",\"versionEndExcluding\":\"1.4.6\",\"matchCriteriaId\":\"FE61884E-9FC3-4DA7-8FBB-63CA74F7CD86\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/94165\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/94165\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

GHSA-FFJX-JHFG-R39P

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38

Details

Severity ?

5.5 (Medium)


                  
                    CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2016-8365"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-03T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)",
  "id": "GHSA-ffjx-jhfg-r39p",
  "modified": "2022-05-13T01:38:42Z",
  "published": "2022-05-13T01:38:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8365"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03"
    },
    {
      "type": "WEB",
      "url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94165"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

VAR-201804-0079

Vulnerability from variot - Updated: 2023-12-18 13:28

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201804-0079",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "pi sdk",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "osisoft",
        "version": "1.4.6"
      },
      {
        "model": "pi buffer subsystem",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "osisoft",
        "version": "4.5.0"
      },
      {
        "model": "pi data archive",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "osisoft",
        "version": "3.4.400.1162"
      },
      {
        "model": "pi af client",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "osisoft",
        "version": "2.8.0"
      },
      {
        "model": "pi af client",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "osisoft",
        "version": "2016 2.8.0"
      },
      {
        "model": "pi buffer subsystem",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "osisoft",
        "version": "4.4 and less"
      },
      {
        "model": "pi data archive",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "osisoft",
        "version": "2015 3.4.395.64"
      },
      {
        "model": "pi sdk",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "osisoft",
        "version": "2016 1.4.6"
      },
      {
        "model": "pi af client",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "osisoft",
        "version": "2016(2.8.0)"
      },
      {
        "model": "pi software development kit",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "osisoft",
        "version": "2016(1.4.6)"
      },
      {
        "model": "pi data archive",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "osisoft",
        "version": "2016(3.4.400.1162)"
      },
      {
        "model": "pi sdk",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "osisoft",
        "version": "20160"
      },
      {
        "model": "pi data archive",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "osisoft",
        "version": "20120"
      },
      {
        "model": "pi buffer subsystem",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "osisoft",
        "version": "4.4"
      },
      {
        "model": "pi af client",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "osisoft",
        "version": "20160"
      },
      {
        "model": "pi sdk",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "osisoft",
        "version": "20161.4.6"
      },
      {
        "model": "pi data archive",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "osisoft",
        "version": "20163.4.400.1162"
      },
      {
        "model": "pi buffer subsystem",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "osisoft",
        "version": "4.5"
      },
      {
        "model": "pi af client",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "osisoft",
        "version": "20162.8"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "pi af client",
        "version": "*"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "pi buffer subsystem",
        "version": "*"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "pi data archive",
        "version": "*"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "pi sdk",
        "version": "*"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "87d38ca7-2043-4e29-9c00-8dbd6630add8"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-11094"
      },
      {
        "db": "BID",
        "id": "94165"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-009008"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-8365"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:osisoft:pi_af_client:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.8.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:osisoft:pi_sdk:*:*:*:*:2016:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.4.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:osisoft:pi_buffer_subsystem:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.5.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:osisoft:pi_data_archive:*:*:*:*:2016:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.4.400.1162",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2016-8365"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "OSIsoft",
    "sources": [
      {
        "db": "BID",
        "id": "94165"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201611-316"
      }
    ],
    "trust": 0.9
  },
  "cve": "CVE-2016-8365",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 2.1,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "LOW",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Local",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 2.1,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2016-8365",
            "impactScore": null,
            "integrityImpact": "None",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 4.9,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "id": "CNVD-2016-11094",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 4.9,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "id": "87d38ca7-2043-4e29-9c00-8dbd6630add8",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.2,
            "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.9 [IVD]"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 1.8,
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Local",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 5.5,
            "baseSeverity": "Medium",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2016-8365",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "Low",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2016-8365",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2016-11094",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201611-316",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "IVD",
            "id": "87d38ca7-2043-4e29-9c00-8dbd6630add8",
            "trust": 0.2,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "87d38ca7-2043-4e29-9c00-8dbd6630add8"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-11094"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-009008"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-8365"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201611-316"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). OSIsoft PI System software Contains an access control vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. OSIsoft PI Web API is a product of OSIsoft Corporation of the United States for accessing PI system data. A local denial of service vulnerability exists in the OSIsoft PI System",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2016-8365"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-009008"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-11094"
      },
      {
        "db": "BID",
        "id": "94165"
      },
      {
        "db": "IVD",
        "id": "87d38ca7-2043-4e29-9c00-8dbd6630add8"
      }
    ],
    "trust": 2.61
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2016-8365",
        "trust": 3.5
      },
      {
        "db": "BID",
        "id": "94165",
        "trust": 2.5
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-11094",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201611-316",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-009008",
        "trust": 0.8
      },
      {
        "db": "IVD",
        "id": "87D38CA7-2043-4E29-9C00-8DBD6630ADD8",
        "trust": 0.2
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "87d38ca7-2043-4e29-9c00-8dbd6630add8"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-11094"
      },
      {
        "db": "BID",
        "id": "94165"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-009008"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-8365"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201611-316"
      }
    ]
  },
  "id": "VAR-201804-0079",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "87d38ca7-2043-4e29-9c00-8dbd6630add8"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-11094"
      }
    ],
    "trust": 1.5003968266666667
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "87d38ca7-2043-4e29-9c00-8dbd6630add8"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-11094"
      }
    ]
  },
  "last_update_date": "2023-12-18T13:28:58.049000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "OSIsoft Releases Security Updates for Core Networking Component in PI System 2016",
        "trust": 0.8,
        "url": "https://techsupport.osisoft.com/troubleshooting/alerts/al00308"
      },
      {
        "title": "OSIsoft PI System Local Denial of Service Vulnerability Patch",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/83850"
      },
      {
        "title": "OSIsoft PI System Fixes for local denial of service vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=65684"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-11094"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-009008"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201611-316"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-284",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-009008"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-8365"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.7,
        "url": "https://ics-cert.us-cert.gov/advisories/ics-vu-313-03"
      },
      {
        "trust": 2.2,
        "url": "http://www.securityfocus.com/bid/94165"
      },
      {
        "trust": 1.9,
        "url": "https://techsupport.osisoft.com/troubleshooting/alerts/al00308"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8365"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-8365"
      },
      {
        "trust": 0.3,
        "url": "https://techsupport.osisoft.com/"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-11094"
      },
      {
        "db": "BID",
        "id": "94165"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-009008"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-8365"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201611-316"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "87d38ca7-2043-4e29-9c00-8dbd6630add8"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-11094"
      },
      {
        "db": "BID",
        "id": "94165"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-009008"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-8365"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201611-316"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2016-11-15T00:00:00",
        "db": "IVD",
        "id": "87d38ca7-2043-4e29-9c00-8dbd6630add8"
      },
      {
        "date": "2016-11-15T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2016-11094"
      },
      {
        "date": "2016-11-08T00:00:00",
        "db": "BID",
        "id": "94165"
      },
      {
        "date": "2018-06-06T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-009008"
      },
      {
        "date": "2018-04-03T14:29:00.247000",
        "db": "NVD",
        "id": "CVE-2016-8365"
      },
      {
        "date": "2016-11-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201611-316"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2016-11-15T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2016-11094"
      },
      {
        "date": "2016-11-24T01:08:00",
        "db": "BID",
        "id": "94165"
      },
      {
        "date": "2018-06-06T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-009008"
      },
      {
        "date": "2019-10-09T23:19:57.193000",
        "db": "NVD",
        "id": "CVE-2016-8365"
      },
      {
        "date": "2019-10-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201611-316"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "BID",
        "id": "94165"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201611-316"
      }
    ],
    "trust": 0.9
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "OSIsoft PI System Local Denial of Service Vulnerability",
    "sources": [
      {
        "db": "IVD",
        "id": "87d38ca7-2043-4e29-9c00-8dbd6630add8"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-11094"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Access control error",
    "sources": [
      {
        "db": "IVD",
        "id": "87d38ca7-2043-4e29-9c00-8dbd6630add8"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201611-316"
      }
    ],
    "trust": 0.8
  }
}

CNVD-2016-11094

Vulnerability from cnvd - Published: 2016-11-15

Title

OSIsoft PI System本地拒绝服务漏洞

Description

OSIsoft PI Web API是美国OSIsoft公司的一款用于访问PI系统数据的产品。 OSIsoft PI System中存在本地拒绝服务漏洞。攻击者可利用该漏洞使得受影响的应用程序崩溃。

Severity

中

Patch Name

OSIsoft PI System本地拒绝服务漏洞的补丁

Patch Description

OSIsoft PI Web API是美国OSIsoft公司的一款用于访问PI系统数据的产品。 OSIsoft PI System中存在本地拒绝服务漏洞。攻击者可利用该漏洞使得受影响的应用程序崩溃。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308

Reference

http://www.securityfocus.com/bid/94165

Impacted products

Name
['OSISoft PI AF Client 2016 (2.8.0)', 'OSISoft PI Software Development Kit (SDK) <2016 (1.4.6)', 'OSISoft PI Data Archive <2016 (3.4.400.1162)']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "94165"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-8365"
    }
  },
  "description": "OSIsoft PI Web API\u662f\u7f8e\u56fdOSIsoft\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u8bbf\u95eePI\u7cfb\u7edf\u6570\u636e\u7684\u4ea7\u54c1\u3002\r\n\r\nOSIsoft PI System\u4e2d\u5b58\u5728\u672c\u5730\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u5f97\u53d7\u5f71\u54cd\u7684\u5e94\u7528\u7a0b\u5e8f\u5d29\u6e83\u3002",
  "discovererName": "OSISoft",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a \r\nhttps://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-11094",
  "openTime": "2016-11-15",
  "patchDescription": "OSIsoft PI Web API\u662f\u7f8e\u56fdOSIsoft\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u8bbf\u95eePI\u7cfb\u7edf\u6570\u636e\u7684\u4ea7\u54c1\u3002\r\n\r\nOSIsoft PI System\u4e2d\u5b58\u5728\u672c\u5730\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u5f97\u53d7\u5f71\u54cd\u7684\u5e94\u7528\u7a0b\u5e8f\u5d29\u6e83\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "OSIsoft PI System\u672c\u5730\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "OSISoft PI AF Client 2016 (2.8.0)",
      "OSISoft PI Software Development Kit (SDK)  \u003c2016 (1.4.6)",
      "OSISoft PI Data Archive \u003c2016 (3.4.400.1162)"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/94165",
  "serverity": "\u4e2d",
  "submitTime": "2016-11-10",
  "title": "OSIsoft PI System\u672c\u5730\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

FKIE_CVE-2016-8365

Vulnerability from fkie_nvd - Published: 2018-04-03 14:29 - Updated: 2024-11-21 02:59

Severity ?

5.5 (Medium) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://www.securityfocus.com/bid/94165	Third Party Advisory, VDB Entry
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03	Third Party Advisory, US Government Resource
ics-cert@hq.dhs.gov	https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/94165	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308	Vendor Advisory

Impacted products

Vendor	Product	Version
osisoft	pi_af_client	*
osisoft	pi_buffer_subsystem	*
osisoft	pi_data_archive	*
osisoft	pi_sdk	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:osisoft:pi_af_client:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5EA643EA-A95B-4444-971A-EDB0E533BBFB",
              "versionEndExcluding": "2.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_buffer_subsystem:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9036F577-4915-4DF5-A7BA-E79AFE4CCD9C",
              "versionEndExcluding": "4.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_data_archive:*:*:*:*:2016:*:*:*",
              "matchCriteriaId": "C57078BD-6694-4886-8859-EAC579E2B764",
              "versionEndExcluding": "3.4.400.1162",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_sdk:*:*:*:*:2016:*:*:*",
              "matchCriteriaId": "FE61884E-9FC3-4DA7-8FBB-63CA74F7CD86",
              "versionEndExcluding": "1.4.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)"
    },
    {
      "lang": "es",
      "value": "El software OSIsoft PI System, en aplicaciones que emplean PI Asset Framework (AF) Client en versiones anteriores a PI AF Client 2016 2.8.0; aplicaciones que emplean PI Software Development Kit (SDK) en versiones anteriores a PI SDK 2016 1.4.6; PI Buffer Subsystem, en versiones anteriores a (e incluyendo) 4.4; y PI Data Archive en versiones anteriores a PI Data Archive 2015 3.4.395.64, opera entre endpoints sin un modelo completo de caracter\u00edsticas de endpoint. Esto podr\u00eda provocar que el producto realice acciones basado en este modelo incompleto, desembocando en una denegaci\u00f3n de servicio. OSIsoft informa que, para explotar esta vulnerabilidad, un atacante necesitar\u00eda estar conectado localmente a un servidor. Se ha calculado una puntuaci\u00f3n CVSS v3 base de 7.1; la cadena de vector CVSS es (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)."
    }
  ],
  "id": "CVE-2016-8365",
  "lastModified": "2024-11-21T02:59:13.820",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 2.1,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-04-03T14:29:00.247",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/94165"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/94165"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-437"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ICSA-16-313-03

Vulnerability from csaf_cisa - Published: 2016-08-12 06:00 - Updated: 2025-06-05 22:02

Summary

OSIsoft PI System Incomplete Model of Endpoint Features Vulnerability

Notes

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation.

Recommended Practices

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Recommended Practices

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

Recommended Practices

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Recommended Practices

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Recommended Practices

CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Locate control system networks and remote devices behind firewalls and isolating them from business networks.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.",
        "title": "Recommended Practices"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "central@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-16-313-03 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2016/icsa-16-313-03.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-16-313-03 - Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-16-313-03"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/topics/industrial-control-systems"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/publications/emailscams0905.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ncas/tips/ST04-014"
      }
    ],
    "title": "OSIsoft PI System Incomplete Model of Endpoint Features Vulnerability",
    "tracking": {
      "current_release_date": "2025-06-05T22:02:02.695028Z",
      "generator": {
        "date": "2025-06-05T22:02:02.694916Z",
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-16-313-03",
      "initial_release_date": "2016-08-12T06:00:00.000000Z",
      "revision_history": [
        {
          "date": "2016-08-12T06:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "Initial Publication"
        },
        {
          "date": "2025-06-05T22:02:02.695028Z",
          "legacy_version": "CSAF Conversion",
          "number": "2",
          "summary": "Advisory converted into a CSAF"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.8.0",
                "product": {
                  "name": "OSIsoft Applications using PI Asset Framework (AF) Client 2016: \u003c2.8.0",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Applications using PI Asset Framework (AF) Client 2016"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.4.6",
                "product": {
                  "name": "OSIsoft Applications using PI Software Development Kit (SDK) 2016: \u003c1.4.6",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Applications using PI Software Development Kit (SDK) 2016"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=4.4",
                "product": {
                  "name": "OSIsoft PI Buffer Subsystem: \u003c=4.4",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "PI Buffer Subsystem"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c3.4.395.64",
                "product": {
                  "name": "OSIsoft PI Data Archive 2105: \u003c3.4.395.64",
                  "product_id": "CSAFPID-0004"
                }
              }
            ],
            "category": "product_name",
            "name": "PI Data Archive 2105"
          }
        ],
        "category": "vendor",
        "name": "OSIsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-8365",
      "cwe": {
        "id": "CWE-437",
        "name": "Incomplete Model of Endpoint Features"
      },
      "notes": [
        {
          "category": "summary",
          "text": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "To fully address potential for data loss or disconnection due to this issue, OSIsoft encourages users to upgrade to: PI Buffer Subsystem Version 4.5.0 or later, PI AF Client 2016 Version 2.8.0 or later, PI SDK 2016 Version 1.4.6 or later, PI Data Archive 2016 Version 3.4.400.1162 or later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        },
        {
          "category": "mitigation",
          "details": "For additional information about the vulnerability and recommended mitigation plan, OSIsoft\u2019s security bulletin AL00308, OSIsoft Releases Security Updates for Core Networking Component in PI System 2016 is available at the following location: (https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308)",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ],
          "url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"
        },
        {
          "category": "mitigation",
          "details": "In order to perform the upgrades, users can use the PI AF Client 2016 Install Kit to upgrade PI AF Client and the PI Buffer Subsystem together. Users can use the PI SDK 2016 Install Kit to upgrade the PI SDK. If PI Buffer Subsystem is installed on a machine without PI AF Client, users can use the PI Interface Configuration Utility (ICU) Install Kit (1.4.16.79B) to upgrade buffering without installing the PI AF Client software.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        },
        {
          "category": "mitigation",
          "details": "OSIsoft also offers the following defensive measures: Use transport security protection for all remote connections to the PI Data Archive Server to block attacks from adjacent networks. PI AF Client 2015, Version 2.7 and PI Buffer Subsystem, Version 4.4 automatically enable transport security with PI Data Archive Server 2015, Version 3.4.395.64 or later when the connecting application uses Windows Integrated Security (WIS). In order to verify an application is connecting with WIS and using transport security, review the PI Data Archive Server message log entries. For each successful connection, there will be a message with event ID 7082. The Method should be \u201cWindows Login,\u201d and if the connection is using transport security, then the ciphers will also be listed. If users are running PI Data Archive PR1, Version 3.4.375.38, to avoid data loss, it is imperative to upgrade PI SDK, PI AF Client, and PI Buffer Subsystem nodes before the PI Data Archive.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        }
      ]
    }
  ]
}

GSD-2016-8365

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2016-8365

Aliases

CVE-2016-8365

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-8365",
    "description": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)",
    "id": "GSD-2016-8365"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-8365"
      ],
      "details": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)",
      "id": "GSD-2016-8365",
      "modified": "2023-12-13T01:21:22.456101Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "DATE_PUBLIC": "2016-10-11T00:00:00",
        "ID": "CVE-2016-8365",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "PI System software",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0"
                        },
                        {
                          "version_value": "Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6"
                        },
                        {
                          "version_value": "PI Buffer Subsystem, versions prior to and including, Version 4.4"
                        },
                        {
                          "version_value": "PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64."
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "OSIsoft"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Incomplete model of enpoint features CWE-437"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308",
            "refsource": "CONFIRM",
            "url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"
          },
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03"
          },
          {
            "name": "94165",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/94165"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:osisoft:pi_af_client:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.8.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:osisoft:pi_sdk:*:*:*:*:2016:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.4.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:osisoft:pi_buffer_subsystem:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.5.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:osisoft:pi_data_archive:*:*:*:*:2016:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.4.400.1162",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2016-8365"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-284"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03"
            },
            {
              "name": "94165",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/94165"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 2.1,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2019-10-09T23:19Z",
      "publishedDate": "2018-04-03T14:29Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2016-8365 (GCVE-0-2016-8365)

GHSA-FFJX-JHFG-R39P

VAR-201804-0079

CNVD-2016-11094

FKIE_CVE-2016-8365

ICSA-16-313-03

GSD-2016-8365

Tags

Sightings

Nomenclature