During a CTI session the Security Management Team of COPA-DATA HQ found a series of vulnerabilities in a 3rd-party-library used in the zenon Software Platform.
The security vulnerabilities (CVEs) disclosed by Progress Software Corporation involve ‘Telerik UI for WPF’ and ‘Telerik UI for WinForm’, which could allow code execution attacks through an insecure deserialization and command injection attacks on affected systems. There are no mentions if those vulnerabilities are being actively exploited in the wild. The vulnerabilities have been published by Telerik with the following IDs:
CVE-2024-7575 - CVE-2024-7575 | CVE
CVE-2024-7576 -
CVE-2024-7576
| CVE
CVE-2024-8316 - CVE-2024-8316 | CVE
CVE-2024-7679 - CVE-2024-7679 | CVE
After investigating the issue, we confirm that the zenon Software Platform versions specified in this FAQ article are not affected by this vulnerability. The zenon Software Platform Version 8.20, version 10, version 11, version 12, and, version 14 do not utilize the affected Telerik UI library components, specified in the CVE reports. As such, customers using the above mentioned version of the zenon Software Platform are not at risk from these specific CVEs.
At the time of writing, there are no plans to update the Telerik library used. If further investigations reveal that a patch is necessary, customers who have subscribed to the Security Newsletter will be actively informed.
At the time of writing there are no actions required for version 8.20, version 10, version 11, version 12, and, version 14 of the zenon Software Platform.
At the time of writing, the investigations are
still ongoing.
• The CVE targets specific components of the Telerik UI for WPF and Telerik UI for WinForm libraries.
• The underlying weaknesses are CWE-77 ‘Command Injection’ and CWE-502 ‘Unsafe Deserialization’.
• The versions listed below are not affected by this vulnerability:
o The zenon Software Platform version 8.20 and later are not affected.
o The zenon Software Platform version 10 and later are not affected.
o The zenon Software Platform version 11 and later are not affected.
o The zenon Software Platform version 12 and later are not affected.
o The zenon Software Platform version 14 and later are not affected.