Alert
AL00337 - OSIsoft releases security update in PI Web API 2017 R2
2018-02-13

Summary

PI Web API has a potential vulnerability whereby input is not properly neutralized for some requests when generating an error message. This vulnerability is addressed in the PI Web API 2017 R2 release.

OSIsoft recommends upgrading the affected software package to address the issue. The resolved issue was rated Medium (CVSS 4.0-7.0) using the Common Vulnerability Scoring System (CVSS).

Impact

The highest impact of this vulnerability is that malicious scripts could be reflected into web pages leveraging the PI Web API.

Note: PI Vision and PI Web API are not exposed to this vulnerability
when accessed directly through a browser. This vulnerability could be exposed by a third-party web application that uses PI Web API for data access and does not handle the response in scope appropriately. If PI Web API is not being used for anything other than PI Vision, there is no exposure to this vulnerability.

Affected Software

This issue applies to versions prior to PI Web API 2017 R2. 

Recommendation

Upgrade to PI Web API 2017 R2 SP1 where this issue has been addressed. PI Web API 2017 R2 SP1 is available through the PI AF Services 2017 R2 Update 1 or PI Vision 2017 R2 Update 1 installation kits and also addresses the issue described in AL00336 - OSIsoft releases security update in PI Web API 2017 R2 SP1.

When OSIsoft issued this security bulletin was it aware of this vulnerability being exploited?

No exploits to this vulnerability have been reported.

Defensive Measures

To prevent exploitation of this issue, any third-party application leveraging the PI Web API for data access should sanitize responses from PI Web API.  

General Considerations

OWASP provides general guidance on input validation in their Input Validation Cheat Sheet, which can help third-party applications leveraging the PI Web API defend against this issue.

This alert was published in accordance with OSIsoft’s Ethical Disclosure Policy to inform administrators of potential risks, so that they can take actions to minimize the effects of the vulnerability.

References

Common Vulnerability Scoring System (CVSS) Score: 4.7
CVSS Vector: AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
OSIsoft's Ethical Disclosure Policy: https://techsupport.osisoft.com/Troubleshooting/Ethical-Disclosure-Policy

Common Weakness Enumeration (CWE): http://cwe.mitre.org/
Common Vulnerability Scoring System (CVSS): https://nvd.nist.gov/cvss.cfm
Security Development Lifecycle (SDL): http://www.microsoft.com/en-us/sdl/default.aspx