Security Process
Unified Automation is commited to secure software development and to constant security improvement. The approach to reach this goal has many aspects. The fundamental basics are founded in a solid development process which we have conducted to create, deliver and maintain highest quality software.
Secure Software Development
The software tools, applications and libraries are developed following a defined procedure that includes the following fundamental steps:
- Good programming style
- Secure software development life cycle
- Static code analysys using various different tools
- Extended unit- and component tests, industrial system test
- Security analysis and fuzzy testing
- OPC Foundation certification test (CTT) and interoperability test (IOP)
Security Response Team
In addition we have a team of experts that monitor security as they arise. The team follows a process analysing, classifying and resolving reported issues in a timely fashion. The team publishes vulnerability reports and informs customers that may use affected products.
Security Bulletins - Vulnerability Reports
Depending on the outcome of the deep analysis we decide to inform our customers only or to make the security report public available. Vulnerability reports that are disclosed to the general public can be found here:
| # | Date Published | CVE Number | Brief Description | Report Status |
| 1 | April 9, 2014 | CVE-2014-0160 | Heartbleed Bug in OpenSSL | public |
| 2 | March 3, 2015 | CVE-2015-0286 | ASM1 Crash | restricted * |
| 3 | July 31, 2017 | CVE-2017-12069 | XML External Entity attack when using DTD | restricted * |
| 4 | March 8, 2018 | CVE-2018-7559 | UserAuthentication Token Exploit | public |
| 5 | May 18, 2018 | n/a | Kaspersky 17 zero-day Exploits | restricted * |
| 6 | July 01, 2018 | CVE-2018-12086 | Endless Recursion in DiagnosticInfo | public |
| 7 | July 01, 2018 | CVE-2018-12087 | Decrypt PWD sent by Client over insecure connection | restricted * |
| 8 | October 26, 2018 | n/a | Unexpected Request | restricted * |
| 9 | November 13, 2019 | n/a | Unquoted Service Path | restricted * |
| 10 | March 10, 2020 | CVE-2019-19135 | Insufficient ServerNonce | public |
| 11 | November 16, 2020 | CVE-2020-29457 | Multiple Error Suppression | restricted * |
| 12 | February 17, 2021 | CVE-2017-12069 CVE-2021-27434 | UPDATE: XML External Entity attack when using DTD | restricted * |
| 13 | February 17, 2021 | CVE-2021-27432 | Endless Recursion in XML Structures | restricted * |
| 14 | March 18, 2021 | CVE-2021-3450 | Strict Certificate Chain Validation | public |
| 15 | November 11, 2021 | CVE-2021-3541 | Exponential Entity Expansion (DoS) in LibXML2 | public |
| 16 | December 10, 2021 | CVE-2021-44228 | Zero-Day security vulnerability Log4Shell in log4j v2.x | public |
| 17 | December 21, 2021 | CVE-2021-45117 | Response message Statuscode (PoD) | restricted * |
| 18 | March 17, 2022 | CVE-2022-0778 | ModSqrtFct endless loop (DoS) in OpenSSL | public |
| 19 | April 19, 2022 | CVE-2022-29863 CVE-2022-29866 | Uncontrolled Resource Consumption (DoS) in .NET SDK | restricted * |
| 20 | April 20, 2022 | CVE-2022-29865 | Bypass Trust Check in .NET SDK | restricted * |
| 21 | April 22, 2022 | CVE-2022-37013 | Chained Certificate Loop PoD | restricted * |
| 22 | April 22, 2022 | CVE-2022-37012 | Referece Counter Decrement DoS | restricted * |
| 23 | April 22, 2022 | n/a | JFrog 12 zero-day Exploits DoS | restricted * |
| 24 | October 24, 2022 | CVE-2022-44725 | Autoload Config File (PrivEsc) in OpenSSL | public |
| 25 | February 15, 2023 | CVE-2023-27321 | ZDI ConditionRefresh in .NET SDK DoS | restricted * |
| 26 | February 16, 2023 | CVE-2023-0286 CVE-2022-4203 CVE-2022-4304 | 3 out of 8 bugs in OpenSSL | public |
| 27 | February 17, 2023 | n/a | Skip Certificate Loop in C-Stack PoD | restricted * |
| 28 | December 08, 2023 | n/a | .NET Server SDK Push access to CertificateGroups | restricted * |
* Restricted Security Bulletin (customers only) - request via Support Form
