AL00338 - OSIsoft releases security update in PI Vision 2017 R2


PI Vision 2017 R2 updates the default configuration of HTTP headers to reflect best practices. Specifically, the following changes were implemented to address the related issues:
  1. Server response header removed to prevent disclosure of the IIS web server version.
  2. Referrer-policy response header set to "no-referrer" to prevent disclosure of URLs to external sites.
  3. X-XSS-Protection response header set to "1; mode=block" to instruct the client browser not to render the document if the XSS Auditor detects cross-site scripting.
OSIsoft recommends upgrading the affected software package to address these issues. The three resolved issue were rated Medium (CVSS 4.0-7.0) using the Common Vulnerability Scoring System (CVSS).


Issues (1) and (2) have the maximum impact of information disclosure to unauthorized parties of the IIS web server version and PI Vision display URLs, respectively.

Lack of additional XSS protection, as described in Issue (3), makes it easier to inject malicious scripts into PI Vision web pages,since the XSS mitigation in the browser is not enabled.

A summary of CVSS scores for these issues, with vectors, is included below.

Common Vulnerability Scoring System (CVSS)
Issue Score Vector
1 4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
2 4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
3 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Software

These issues apply to versions prior to PI Vision 2017 R2.


Upgrade to PI Vision 2017 R2 Update 1 to address these issues automatically. PI Vision 2017 R2 Update 1 is recommended as it also addresses the PI Web API issue described in AL00336 - OSIsoft releases security update in PI Web API 2017 R2 SP1.

Alternatively, all of these issues can be addressed through configuration as described in Defensive Measures below.

When OSIsoft issued this security bulletin was it aware of this vulnerability being exploited?

There have been no exploit activities reported related to these issues.

Defensive Measures

Issue (1) can be addressed through configuration by adding a rewrite rule to replace the Server response header. Using this strategy requires the the UrlRewrite module published by Microsoft, available through the Web Platform Installer or

Issue (2) can be addressed by adding the HTTP response header Referrer-Policy with a value of "no-referrer" and issue (3) can be addressed by adding the X-XSS-Protection HTTP response header with a value of "1; mode=block" in the PI Vision web.config file. For detailed instructions on how to add a custom HTTP response header, see Custom Headers on IIS.NET. That guide provides instructions for both IIS Manager and configuration files.

For additional guidance on web security for PI Vision, please see KB01631 - Security Tips for PI Vision.

General Considerations

The web security guidelines published by Mozilla provide a concise overview of defensive measures configurable for web applications. This alert was published in accordance with OSIsoft’s Ethical Disclosure Policy to inform administrators of potential risks, so that they can take actions to minimize the effects of the vulnerability.


Common Weakness Enumeration (CWE):
Common Vulnerability Scoring System (CVSS):
Security Development Lifecycle (SDL):
OSIsoft's Ethical Disclosure Policy: