Johnson Controls Information for VU#977312

Johnson Controls CK721-A and P2000 remote command execution vulnerability

Status

Affected

Vendor Statement

Vulnerability VU-977212 is addressed through the deployment of strong encryption, such as AES, for all IP based, bi-directional communications, on all ports, between CK-721 type controllers and the P2000 Security host server. The encryption methodology used by Johnson Controls Inc. supports the FIPS 140-2 standard, with reference validation certificates No. 1051 for controllers and No. 1336 for the server.

    The process to implement encryption has four steps as follows:
    Step 1 Upgrade of the P2000 server security application software, to version P2000 V 3.11, P2K-SW-CORE 311. P/N 27-5618-3.
    Step 2 Upgrade of the hardware module, of the CK-721 controller, to version CK-721A. P/N 27-5379-1044
    Step 3 Upgrade of the controller firmware, to current version. SSM4388_03.1.0.14_BB
    Step 4 Activation of encryption, as per the standard documentation. P/N 24-10618-147 Rev. A
    The use of encryption is considered a security industry best practice, and is recommended at all times.
    Additional information and support can be obtained by contacting JCI Customer Service, at 800-229-4076

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    None

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.