|
[Japanese]
|
JVNDB-2025-001016
|
OMRON NJ/NX series vulnerable to path traversal
|
|
Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability (CWE-22, CVE-2024-12083).
OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
|
|
CVSS V3 Severity:
Base Metrics 6.6 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
|
|
|
OMRON Corporation
- Machine automation controller NJ series NJ101-[][][][], NJ301-[][][][], NJ501-1[]0[] Ver.1.64.05 and earlier, Lot No. 30924 (September 30, 2024) and earlier (*1)
- Machine automation controller NJ series NJ501-1[]2[], NJ501-1340, NJ501-4[][][], NJ501-5300, NJ501-R[][][] Ver.1.64.04 and earlier, Lot No. 30924 (September 30, 2024) and earlier (*1)
- Machine automation controller NX series NX1P2-[][][][][][], NX1P2-[][][][][][]1 Ver.1.64.04 and earlier, Lot No.19Y24 (November 19, 2024) and earlier (*2)
- Machine automation controller NX series NX102-[][]0[] Ver.1.64.07 or earlier, Lot No.12225(February12, 2025) and earlier (*2)
- Machine automation controller NX series NX102-[][]2[] Ver.1.64.07 or earlier, Lot No.24425 (April 24, 2025) and earlier(*2)
- Machine automation controller NX series NX502-[][][][] Ver.1.66.03 or earlier, Lot No.24425 (April 24, 2025) (*2)
- Machine automation controller NX series NX701-[][][][] Ver.1.35.04 or earlier, Lot No.24425 (April 24, 2025) (*2)
- Machine automation controller NX series NX-EIP201 Ver.1.01.02 or earlier, Lot No.24425 (April 24, 2025) (*2)
|
Machine Automation Controller NJ-series:
Refer to the developer's advisory "Appendix" section regarding how to check the affected versions.
(*1) Refer to "ID Information Indication" section of the below manuals provided by the developer
NJ-series CPU unit Hardware User's Manual (W500)
Machine Automation Controller NX-series:
Refer to the developer's advisory "Appendix" section regarding how to check the affected versions.
(*2) Refer to "ID Information Indication" section of the manuals provided by the developer listed below.
NX102 CPU Unit User's Manual (Hardware) (W578)
NX1P2 CPU Unit User's Manual (Hardware) (W578)
NX5 CPU Unit User's Manual (Hardware) (W578)
NX7 CPU Unit User's Manual (Hardware) (W578)
NX-EIP201 EtherNet/IPTM Unit User's Manual (W578)
As for the details, refer to the information provided by the developer.
|
|
An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege.
|
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
As for how to obtain the update or how to apply the update, refer to the information provided by the developer.
[Apply the workaround]
The developer recommends that the users should use 'Secure Communication Function' which are implemented in the following products/versions.
* NJ series, NX102, NX1P2 CPU Unit: Version 1.49 or later
* NX701 CPU Unit: Version 1.29 or later
* NX502 CPU Unit: Version 1.60 or later
* NX-EIP201 EtherNet/IPTM Unit: Version 1.00 or later
As for the details, refer to the information provided by the developer.
|
|
OMRON Corporation
|
|
- Path Traversal(CWE-22) [Other]
|
|
- CVE-2024-12083
|
|
- JVN : JVNVU#96335720
|
|
- [2025/01/15]
Web page was published
- [2025/05/08]
Affected Products : Contents were added
Solution was modified
|
