Johnson Controls Information for VU#977312
Johnson Controls CK721-A and P2000 remote command execution vulnerability
- Vendor Information Help Date Notified:
- Statement Date:
- Date Updated: 07 Jun 2012
Vulnerability VU-977212 is addressed through the deployment of strong encryption, such as AES, for all IP based, bi-directional communications, on all ports, between CK-721 type controllers and the P2000 Security host server. The encryption methodology used by Johnson Controls Inc. supports the FIPS 140-2 standard, with reference validation certificates No. 1051 for controllers and No. 1336 for the server.
The process to implement encryption has four steps as follows:
Step 1 Upgrade of the P2000 server security application software, to version P2000 V 3.11, P2K-SW-CORE 311. P/N 27-5618-3.
Step 2 Upgrade of the hardware module, of the CK-721 controller, to version CK-721A. P/N 27-5379-1044
Step 3 Upgrade of the controller firmware, to current version. SSM4388_03.1.0.14_BB
Step 4 Activation of encryption, as per the standard documentation. P/N 24-10618-147 Rev. A
The use of encryption is considered a security industry best practice, and is recommended at all times.
Additional information and support can be obtained by contacting JCI Customer Service, at 800-229-4076
We are not aware of further vendor information regarding this vulnerability.
There are no additional comments at this time.