Description

In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which allows man in the middle attackers to reuse encrypted user credentials sent over the network.

Remediation

References

https://opcfoundation.org/security-bulletins/

https://opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2019-19135.pdf

Related Vulnerabilities

CVE-2017-7678 Vulnerability in maven package org.apache.spark:spark-core

CVE-2021-23926 Vulnerability in maven package org.apache.xmlbeans:xmlbeans

CVE-2023-49068 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-api

CVE-2020-14389 Vulnerability in maven package org.keycloak:keycloak-core

CVE-2021-22160 Vulnerability in maven package org.apache.pulsar:pulsar-broker-common

Severity

High

Classification

CWE-330 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Vendor Advisory Patch