OMRON CJ series and CS/CJ Series EtherNet/IT unit vulnerable to Denial-of-Service (DoS)


Denial-of-service (DoS) vulnerability due to improper validation of specified type of input (CWE-1287) issue exists in the built-in EtherNet/IP port of the CJ Series CJ2 CPU unit and the communication function of the CS/CJ Series EtherNet/IP unit provided by OMRON Corporation.

OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.5 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
Affected Products

OMRON Corporation
  • CJ1W-EIP21 V3.04 and earlier (CS/CJ Series EtherNet/IP Unit)
  • CJ2H-CPU6[]-EIP Unit version of the built-in EtherNet/IP section Ver. 3.04 and earlier (CJ2H CPU Unit)
  • CJ2M-CPU3[]  Unit version of the built-in EtherNet/IP section Ver. 2.18 and earlier (CJ2M CPU Unit)
  • CS1W-EIP21 V3.04 and earlier (CS/CJ Series EtherNet/IP Unit)

Regarding how to check the affected products/versions, refer to the manuals listed below.
* CJ Series CPU Unit User's Manual (Hardware) (W472-E1-15) "Unit Versions of CJ2 CPU Units" section
* CS/CJ Series EtherNet/IP Units Operation Manual (W465-E1-12) "Unit Versions of CS/CJ-series" section

If an affected product receives a packet which is specially crafted by a remote unauthenticated attacker, the unit of the affected product may fall into a denial-of-service (DoS) condition.

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.

Regarding the details of how to obtain the update or how to update the firmware, contact the developer and/or the sales representatives.
Vendor Information

OMRON Corporation
CWE (What is CWE?)

  1. Improper Validation of Specified Type of Input(CWE-1287) [Other]
CVE (What is CVE?)

  1. CVE-2023-38744

  1. JVN : JVNVU#92193064
Revision History

  • [2023/08/03]
      Web page was published