CVE-2020-9044

Name of the Vulnerable Software and Affected Versions Metasys Application and Data Server (ADS, ADS-Lite) versions prior to 10.1 Metasys Extended Application and Data Server (ADX) versions prior to 10.1 Metasys Open Data Server (ODS) versions prior to 10.1 Metasys Open Application Server (OAS) version 10.1 Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6 Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6 Metasys NAE85 and NIE85 versions prior to 10.1 Metasys LonWorks Control Server (LCS) versions prior to 10.1 Metasys System Configuration Tool (SCT) versions prior to 13.2 Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1

Description An XXE vulnerability exists in the Metasys family of product Web Services, which has the potential to facilitate DoS attacks or harvesting of ASCII server files.

Recommendations For Metasys Application and Data Server (ADS, ADS-Lite) versions prior to 10.1, update to a version later than 10.1. For Metasys Extended Application and Data Server (ADX) versions prior to 10.1, update to a version later than 10.1. For Metasys Open Data Server (ODS) versions prior to 10.1, update to a version later than 10.1. For Metasys Open Application Server (OAS) version 10.1, update to a version later than 10.1. For Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6, update to a version later than 9.0.6. For Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6, update to a version later than 9.0.6. For Metasys NAE85 and NIE85 versions prior to 10.1, update to a version later than 10.1. For Metasys LonWorks Control Server (LCS) versions prior to 10.1, update to a version later than 10.1. For Metasys System Configuration Tool (SCT) versions prior to 13.2, update to a version later than 13.2. For Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1, update to a version later than 8.1.