AL00336 - OSIsoft releases security update in PI Web API 2017 R2 SP1


The PI Web API 2017 R2 release introduced a potential escalation of privilege vulnerability if the server instance is configured to use both Kerberos and Basic as authentication methods. This vulnerability does not apply to installations of the PI Web API 2017 R2 configured with a single authentication method, such as Kerberos authentication or Basic authentication. 

OSIsoft recommends upgrading the affected software package to address this vulnerability issue. The resolved issue was rated Critical (CVSS 9.0 - 10.0) using the Common Vulnerability Scoring System (CVSS).


Successful exploitation of this vulnerability would allow access to the PI System in context of the service account user. 

Note: Exploitation of this vulnerability would not allow the attacker access to the underlying operating system.

Affected Software

This issue applies to PI Web API 2017 R2 only, and in a configuration where both Basic authentication and Kerberos authentication are used. PI Web API 2017 R2 is installed with either the PI Vision 2017 R2 installation kit or with the PI AF Services 2017 R2 installation kit.

By default, PI Web API configuration has only Kerberos authentication specified. There are three main use cases where the non-default configuration of using both Kerberos authentication and Basic authentication is appilcable:
  • Case (1): PI Vision WITH non-Windows, non-domain, or mobile clients AND using Events Table and XY Plot.
  • Case (2): Custom PI Web API applications WITH non-Windows, non-domain, or mobile clients AND using the indexed search feature.
  • Case (3): Custom PI Web API applications WITH non-Windows, non-domain, or mobile clients AND domain clients.
To check which authentication methods are configured on your instance of PI Web API, enter the request URL below and replace the example FQDN with the server name for your PI Web API instance:


Upgrade to PI Web API 2017 R2 SP1, which addresses this vulnerability. PI Web API 2017 R2 SP1 is available in the PI Vision 2017 R2 Update 1 installation kit for PI Vision deployments or through the PI AF Services 2017 R2 Update 1 installation kit for other deployments.

Kerberos-only authentication is the recommended configuration for all releases of PI Web API.

When OSIsoft issued this security bulletin was it aware of this vulnerability being exploited?

No exploits to this vulnerability have been reported.

Defensive Measures

To fully address this issue, OSIsoft recommends upgrading to PI Web API 2017 R2 SP1, as this security update addresses this vulnerability. If upgrading is not an option, there are defensive measures available to reduce exposure. 

Authentication Methods

This issue is only exposed when Basic authentication is used in conjunction with Kerberos authentication.  Using one of the following approaches is recommended as a defensive measure:
Option Pros Cons
Configure Kerberos only More secure, retain SSO for domain users. Non-domain, mobile or non-Windows users will in most cases be unable to authenticate with Kerberos.
Configure Basic only Non-domain, mobile or non-Windows users will be able to authenticate. Less-secure and will not support SSO.
In cases (1) & (2) the indexed search crawler will be unable to update the index without Kerberos.
Use two PI Web API installations: a data access instance with basic and one with Kerberos to update the search index Functionality, compatibility and security is preserved. Additional administrative burden of configuring and managing additional installation.
Use different port than PI Vision for PI Web API and block remote connections to that port. (LiveLibrary Instructions) Preserves most functionality for non-domain, mobile or non-Windows users. Only practical in case (1). Events Table and XY Plot will no longer be accessible to non-domain, mobile or non-Windows users. 

PI Web API configuration data is stored in the PI AF Configuration database.  For more information on setting PI Web API configuration settings, see PI Web API configuration in Live Library.

Least Privilege

Configure least privilege mappings in the PI System for the PI Web API service account user. While this does not remove exposure to the vulnerability, it can reduce the impact if exploited. If the PI Web API service account user is a domain account, the implicit default mappings are to the Everyone and PIWorld PI identities, which typically serve read-only access roles. Since the PI Web API impersonates requests, the service account does not require read access to data to function.

Communications Whitelisting

Use a host-based firewall to limit access to PI Web API port 443 to only trusted workstations and software.

Please consult your IT engineer for advice on how to best implement these firewall restrictions in your organization's architecture.

General Considerations

Microsoft provides general guidance and information regarding Kerberos authentication, which is more secure than Basic authentication.

This alert was published in accordance with OSIsoft’s Ethical Disclosure Policy to inform administrators of potential risks, so that they can take actions to minimize the effects of the vulnerability.


Common Weakness Enumeration (CWE):
Common Vulnerability Scoring System (CVSS):
Security Development Lifecycle (SDL):

Common Vulnerability Scoring System (CVSS) Score: 9.3
OSIsoft's Ethical Disclosure Policy: