CVE-2021-36202 : Vulnerability Insights and Analysis

A Server-Side Request Forgery (SSRF) vulnerability has been discovered in Johnson Controls Metasys, allowing an authenticated attacker to inject malicious code into the MUI PDF export feature.

Understanding CVE-2021-36202

This CVE affects all 10 versions of Johnson Controls Metasys prior to 10.1.5 and all 11 versions prior to 11.0.2.

What is CVE-2021-36202?

The CVE-2021-36202 is a Server-Side Request Forgery (SSRF) vulnerability that enables an authenticated attacker to insert malicious code into the MUI PDF export feature of Johnson Controls Metasys.

The Impact of CVE-2021-36202

The vulnerability has a CVSS base score of 8.4, with high severity impacts on confidentiality, integrity, and availability of the affected systems. Attack complexity is high, while privileges required are low.

Technical Details of CVE-2021-36202

The vulnerability description, affected systems, and exploitation mechanism are detailed below.

Vulnerability Description

The SSRF vulnerability in Johnson Controls Metasys allows an attacker to manipulate the MUI PDF export feature to inject malicious code.

Affected Systems and Versions

All 10 versions prior to 10.1.5 and all 11 versions prior to 11.0.2 of Johnson Controls Metasys are affected by this vulnerability.

Exploitation Mechanism

An authenticated attacker can exploit this vulnerability to execute SSRF attacks by injecting malicious code into the MUI PDF export feature.

Mitigation and Prevention

Effective steps to mitigate and prevent exploitation of CVE-2021-36202 are essential.

Immediate Steps to Take

Users are advised to update all Metasys ADS/ADX/OAS 10 versions with patch 10.1.5 and all Metasys ADS/ADX/OAS 11 versions with patch 11.0.2.

Long-Term Security Practices

Ensure ongoing monitoring and security assessments to detect and prevent any future SSRF vulnerabilities.

Patching and Updates

Regularly apply security patches and updates provided by Johnson Controls to safeguard Metasys systems against SSRF attacks.