Security Bulletins

Despite the strict methods and precautions employed when designing, developing and packaging our products, security vulnerabilities may occur. This page lists all known security alerts on products designed by ARC Informatique. Visit it frequently to get up to date information. Security vulnerability is a matter we take very seriously. It is our policy and practice to swiftly deal with it and help you protect your systems. Security bulletins are available to our customers to describe vulnerabilities and give guidance in the mitigation effort. To report a security vulnerability or provide feedback, you can contact us using the point of contact described in the Contact section of our Vulnerability Disclosure Policy.
Alert Id Status Last update Description Product Security bulletin
2024‑1 In progress May 2nd 2024 A Buffer overflow vulnerability affects the IEC 61850 client driver.
CVE Id : Assignment in progress
Fixed in: PcVue 15.2.9, PcVue 16.1.2
Patch planned in: PcVue 16.2.0, PcVue 12.0.30
All versions since PcVue 10.0 SB2024-1
2023‑4 In progress May 2nd 2024 Use of a vulnerable version of the Mosquitto library.
CVE Id: CVE-2023-0809, CVE-2023-3592
Fixed in : PcVue 16.1.2
Patch planned in : PcVue 16.2.0
All versions since PcVue 15.0
SB2023-4
2023‑3 In progress May 2nd 2024 Use of a vulnerable version of the OpenSSL library.
CVE Id: CVE-2022-4304
Fixed in: PcVue 16.1.0 (OpenSSL 3.1.2)
Patch planned for: PcVue 16.2.0 (OpenSSL 3.2.1)
CVE Id: CVE-2023-4807, CVE-2023-5678
Fixed in: PcVue 16.1.2 (OpenSSL 3.2.0)
Patch planned for: PcVue 16.2.0 (OpenSSL 3.2.1)
PcVue 12
PcVue 15
PcVue 16
SB2023-3
2023‑2 In progress May 2nd 2024 Remote Code Execution vulnerability in the Microsoft Visual Basic for Applications runtime
CVE Id: CVE-2010-0815 (MS10-031), CVE-2012-1854 (MS12-046)
Patch provided with: PcVue 16.1.1, PcVue 16.0.4, PcVue 15.2.8, FrontVue 16.1.1, FrontVue 15.2.8
Patch planned for: PcVue 16.2.0, PcVue 12.0.30, FrontVue 16.2.0, FrontVue 12.0.30
PcVue version 9.0 to 16.1
FrontVue version 4.2 to 16.1
SB2023-2
2023‑1 Completed Oct 2nd 2023

Multiple vulnerabilities have been fixed in the UaGateway :
- CVE-2022-4304 - OpenSSL library
- CVE-2023-0286 - OpenSSL library
- ZDI-CAN-20353 - Certificate Parsing Integer Overflow Denial-of-Service
- ZDI-CAN-20494 - Improper Input Validation Denial-of-Service
- ZDI-CAN-20495 - Null Pointer Dereference Denial-of-Service
- ZDI-CAN-20497 - Use-After-Free Denial-of-Service
Fixed in UaGateway version 1.5.13

- ZDI-CAN-20497 - Use-After-Free Denial-of-Service
- ZDI-CAN-20576 - AddServer XML Injection Denial-of-Service
- ZDI-CAN-20577 - NodeManagerOpcUa Use-After-Free Remote Code Execution
Fixed in UaGateway version 1.5.14

UaGateway versions prior to 1.5.14 Refer to Unified Automation Security Bulletins and UaGateway Changelog for more details.
2022‑7 Completed Jan 23rd 2023 A vulnerability affects the configuration of SMS & Email Accounts.
CVE Id: CVE-2022-4312
Fixed in PcVue 12.0.28 and PcVue 15.2.4
All versions since PcVue 8.10 SB2022-7
2022‑6 Completed Dec 20th 2022 An Insertion of Sensitive Information in Log File vulnerability affects the DbConnect configuration.
CVE Id: CVE-2022-4311
Fixed in PcVue 15.2.3.
PcVue 15 SB2022-6
2022‑5 Completed Jan 23rd 2023 A Denial of Service vulnerability affects the IEC 61850 client driver and the ICCP/TASE.2 interface.
CVE-2022-38138
Fixed in PcVue 12.0.28 and PcVue 15.2.3
IEC 61850 : PcVue 10.0 onward
ICCP/TASE.2 : PcVue 15.1
SB2022-5
2022‑4 Completed Sep 19th 2022 A vulnerability affects the configuration of the OAuth web service.
CVE-2022-2569
Fixed in PcVue 12.0.27 and PcVue 15.2.3
PcVue 12
PcVue 15
SB2022-4
2022‑3 Completed Jan 7th 2022 During the Miami Pwn2Own contest the Zero Days Initiative (ZDI) reported multiple vulnerabilities.
- CVE-2022-29862 - Chained Certificate Loop PoD
- CVE-2022-29864 - Reference Counter Decrement DoS
Fixed in UaGateway version 1.5.10
UaGateway versions prior to 1.5.10 Refer to Unified Automation Security Bulletins for more details.
2022‑2 Completed Jul 5th 2022 CVE-2021-45117 - OPC Foundation, autogenerated ANSI C Stack Stubs
CVE-2022-0778 - OpenSSL library
Fixed in UaGateway version 1.5.9
UaGateway versions prior to 1.5.9 Refer to Unified Automation Security Bulletins for more details.
2022‑1 Completed Feb 28th 2022 Ocean Data Systems Dream Report privilege escalation vulnerabilities.
- Dream Report 5: CVE-2020-13532, CVE-2020-13533, CVE-2020-13534
- Dream Report 2020: CVE-2021-21957
Fixed in Dream Report 2020 R2 SP1
Dream Report
2021‑1 Completed Dec 16th 2021 Timeline and concerns related to the Apache Log4j vulnerability
CVE-2021-44228, CVE-2021-45046
SB2021-1
2020‑1 Completed Aug 2nd 2021 3 vulnerabilities affect the interface between the Web & Mobile back end and the web services hosted in Microsoft IIS
CVE-2020-26867, CVE-2020-26868, CVE-2020-26869
PcVue 8.10 and later SB2020-1
2018‑1 Completed Jan 22nd 2018 ICS-ALERT-18-011-01B: Timeline and concerns related to the Microsoft Windows updates designed to mitigate the Meltdown & Spectre vulnerabilities PcVue,
FrontVue,
PlantVue,
Partner products
SB2018-1
2012‑2 Completed Aug 30th 2012 ICSA-12-024-01: Ocean Data Systems Dream Reports XSS and write access violation vunlerabilities.
CVE-2011-4038, CVE-2011-4039
Dream Report versions prior to 4.0 -
2012‑1 Completed Nov 21st 2014 ActiveBar, a 3rd party component used in our products is subject to an alert. More information is available at Microsoft KB2562937
Microsoft released a Windows security update addressing this issue in August 2011.
PcVue 6.0 and later,
FrontVue - All versions,
PlantVue - All versions
SB2012-1
2011‑1 Completed Nov 21st 2014 ICS-ALERT-11-271-01: PcVue HMI/SCADA multiple ActiveX Vulnerabilities
CVE-2011-4042, CVE-2011-4043, CVE-2011-4044, CVE-2011-4045
PcVue 6.0 and later,
FrontVue - All versions,
PlantVue - All versions
SB2011-1