November 28, 2018T13-006
Honeywell ECC Technical Bulletin
Author: Ramesh Ajitaprasad
SUBJECT: / WEBs-AX Security Patch Release & Installation NotesISSUE: / The security patch removes a directory traversal vulnerability that may allow a user with a valid user account or guest privileges to escalate their privileges on a WEBs-AX system.
APPLIES TO: / All customers who are using WEBs-AX 3.5, WEBs-AX 3.6 and WEBs-AX 3.7 release. This patch does not affect any standard Niagara configuration or functionality. The only impact of the change is to remove the aforementioned vulnerability.
DESCRIPTION: / As part of Honeywell’s ongoing effort to improve the security of WEBs-AX software, powered Niagara-AX Framework®, a free security patch for WEBs-AX version 3.5, 3.6 and 3.7 is now available.
BACKGROUND: / This is a security patch to WEBs-AX 3.5, 3.6, and 3.7 that addresses the vulnerability associated with the Security Bulletin (13-0006) released by Honeywell on February 14, 2013.
ACTION: / Honeywell strongly recommends all customers to apply this security patch. Customers with systems running a version of WEBs-AX released prior to 3.5 should upgrade to the latest version of the Niagara framework to take advantage of the latest security improvements.
For WEBs-AX software release 3.5
•Update to at least WEBs-AX version 3.5.39.1 if you have not already.
•Apply the security patch available here.
For WEBs-AX software release 3.6
•Update to at least version WEBs-AX 3.6.47.1 if you have not already.
•Apply the previous security patch available here.
For WEBs-AX software release 3.7
•The security patch should be applied to WEBs-AX 3.7.44.
•Apply the security patch available here.
•Honeywell will be including this security patch in an upcoming release of WEBs-AX 3.7.46
For a WEB Supervisor or Workbench:
- Download the appropriate zip file for the Niagara AX version to be patched.
b. For 3.6 download the 3.6 Security Patch.
c. For 3.7 download the 3.7 Security Patch
- Start Workbench and open a platform connection to the local host.
- Open the Application Director view and stop any running stations.
- Close all instances of Workbench.
- Extract the zip file to the "modules" directory of the WEBs-AX installation on your PC or laptop. (Ex. C:\Honeywell\WEBStation-AX-3.6.47\modules).
- If patching a WEB Supervisor:
b. Login to the patched supervisor station and review the configuration per the change details listed above.
For an embedded WEBx-AX controller (JACE):
- Start Workbench on a Niagara instance that has been patched as described above.
- Open a platform connection to a WEB Controller to be updated.
- Open the Software Manager view.
- Update the out of date modules. The only module included in this patch is web.
- Reboot the WEBs controller.
- Login to the patched WEBs controller and review the configuration per the change details listed above.
REFERENCES: / Honeywell Bulletin 13-0006
Security Patch is available at:
The Buildings Forum - Home > Honeywell WEBs™ > WEBs-AX Software Releases > Software Security Patch
If you have questions regarding this bulletin, please contact Honeywell ECC’s WEBs Squad
Phone: 1(888) 235-6048
Email:
Page 1 of 2LK/WEBs Squad