Security Process

Unified Automation is commited to secure software development and to constant security improvement. The approach to reach this goal has many aspects. The fundamental basics are founded in a solid development process which we have conducted to create, deliver and maintain highest quality software.

Secure Software Development

The software tools, applications and libraries are developed following a defined procedure that includes the following fundamental steps:

  • Good programming style
  • Secure software development life cycle
  • Static code analysys using various different tools
  • Extended unit- and component tests, industrial system test
  • Security analysis and fuzzy testing
  • OPC Foundation certification test (CTT) and interoperability test (IOP)

Security Response Team

In addition we have a team of experts that monitor security as they arise. The team follows a process analysing,  classifying and resolving reported issues in a timely fashion. The team publishes vulnerability reports and informs customers that may use affected products.

Security Bulletins - Vulnerability Reports

Depending on the outcome of the deep analysis we decide to inform our customers only or to make the security report public available. Vulnerability reports that are disclosed to the general public can be found here:

# Date Published CVE Number Brief Description Report Status
1 April 9, 2014 CVE-2014-0160 Heartbleed Bug in OpenSSL public
2 March 3, 2015 CVE-2015-0286 ASM1 Crash restricted *
3 July 31, 2017 CVE-2017-12069 XML External Entity attack when using DTD restricted *
4 March 8, 2018 CVE-2018-7559 UserAuthentication Token Exploit public
5 May 18, 2018 n/a Kaspersky 17 zero-day Exploits restricted *
6 July 01, 2018 CVE-2018-12086 Endless Recursion in DiagnosticInfo public
7 July 01, 2018 CVE-2018-12087 Decrypt PWD sent by Client over insecure connection restricted *
8 October 26, 2018 n/a Unexpected Request restricted *
9 November 13, 2019 n/a Unquoted Service Path restricted *
10 March 10, 2020 CVE-2019-19135 Insufficient ServerNonce public
11 November 16, 2020 CVE-2020-29457 Multiple Error Suppression restricted *
12 February 17, 2021 CVE-2017-12069
CVE-2021-27434
UPDATE: XML External Entity attack when using DTD restricted *
13 February 17, 2021 CVE-2021-27432 Endless Recursion in XML Structures restricted *
14 March 18, 2021 CVE-2021-3450 Strict Certificate Chain Validation public
15 November 11, 2021 CVE-2021-3541 Exponential Entity Expansion (DoS) in LibXML2 public
16 December 10, 2021 CVE-2021-44228 Zero-Day security vulnerability Log4Shell in log4j v2.x public
17 December 21, 2021 CVE-2021-45117 Response message Statuscode (PoD) restricted *
18 March 17, 2022 CVE-2022-0778 ModSqrtFct endless loop (DoS) in OpenSSL public
19 April 19, 2022 CVE-2022-29863
CVE-2022-29866
Uncontrolled Resource Consumption (DoS) in .NET SDK restricted *
20 April 20, 2022 CVE-2022-29865 Bypass Trust Check in .NET SDK restricted *
21 April 22, 2022 CVE-2022-29862 Chained Certificate Loop PoD restricted *
22 April 22, 2022 CVE-2022-29864 Referece Counter Decrement DoS restricted *
23 April 22, 2022 n.a. JFrog 12 zero-day Exploits DoS restricted *
24 October 24, 2022 CVE-2022-44725 Autoload Config File (PrivEsc) in OpenSSL public

* Restricted Security Bulletin (customers only) - request via Support Form