Multiple vulnerabilities in Inductive Automation Ignition

antonio.sanchez · August 2, 2023, 3:11pm

hello

today we recibet a Newsletter about vulnerabilities in Inductive Automation Ignition.

Description
The researcher, 20urdjk , has reported 3 high severity vulnerabilities in the Ignition product, from the manufacturer Inductive Automation, whose exploitation could allow remote code execution or authentication bypass.

CVE-2023-38121
CVE-2023-38122
CVE-2023-38123

Do you know anything about it?

They say that you should update to the latest version, do you know if there is any other solution and not update?

Kevin.Herron · August 2, 2023, 3:17pm

Today is the coordinated disclosure date for these issues discovered at ZDI earlier this year.

Upgrading to 8.1.26 or later is the only recommended course of action.

pturmel · August 2, 2023, 3:23pm

Note that v7.8 and v8.0 are completely end-of-life. v7.9 is in the "limited support" phase until next June. Only v8.1.x is in Active Support, and receives bug fixes. While an exception could be made for a v7.9 security fix, don't hold your breath.

Upgrade to v8.1.x.

Dates from this IA blog post: