Security Process

Unified Automation is commited to secure software development and to constant security improvement. The approach to reach this goal has many aspects. The fundamental basics are founded in a solid development process which we have conducted to create, deliver and maintain highest quality software.

Secure Software Development

The software tools, applications and libraries are developed following a defined procedure that includes the following fundamental steps:

  • Good programming style
  • Secure software development life cycle
  • Static code analysys using various different tools
  • Extended unit- and component tests, industrial system test
  • Security analysis and fuzzy testing
  • OPC Foundation certification test (CTT) and interoperability test (IOP)

Security Response Team

In addition we have a team of experts that monitor security as they arise. The team follows a process analysing,  classifying and resolving reported issues in a timely fashion. The team publishes vulnerability reports and informs customers that may use affected products.

Security Bulletins - Vulnerability Reports

Depending on the outcome of the deep analysis we decide to inform our customers only or to make the security report public available. Vulnerability reports that are disclosed to the general public can be found here:

Date Published CVE Number Brief Description Report Status
April 9, 2014 CVE-2014-0160 Heartbleed Bug in OpenSSL public
March 3, 2015 CVE-2015-0286 ASM1 Crash restricted *
July 31, 2017 CVE-2017-12069 XML External Entity attack when using DTD restricted *
March 8, 2018 CVE-2018-7559 UserAuthentication Token Exploit public
May 18, 2018 n/a Kaspersky 17 zero-day Exploits restricted *
July 01, 2018 CVE-2018-12086 Endless Recursion in DiagnosticInfo public
July 01, 2018 CVE-2018-12087 Decrypt PWD sent by Client over insecure connection restricted *
October 26, 2018 n/a Unexpected Request restricted *
November 13, 2019 n/a Unquoted Service Path restricted *
March 10, 2020 CVE-2019-19135 Insufficient ServerNonce public
November 16, 2020 CVE-2020-29457 Multiple Error Suppression restricted *
February 17, 2021 CVE-2017-12069
UPDATE: XML External Entity attack when using DTD restricted *
February 17, 2021 CVE-2021-27432 Endless Recursion in XML Structures restricted *
March 18, 2021 CVE-2021-3450 Strict Certificate Chain Validation public
November 11, 2021 CVE-2021-3541 Exponential Entity Expansion (DoS) in LibXML2 public

* Restricted Security Bulletin (customers only) - request via Support Form