Johnson Controls Affected

Updated:  June 07, 2012



Vendor Statement

Vulnerability VU-977212 is addressed through the deployment of strong encryption, such as AES, for all IP based, bi-directional communications, on all ports, between CK-721 type controllers and the P2000 Security host server. The encryption methodology used by Johnson Controls Inc. supports the FIPS 140-2 standard, with reference validation certificates No. 1051 for controllers and No. 1336 for the server. The process to implement encryption has four steps as follows: Step 1 Upgrade of the P2000 server security application software, to version P2000 V 3.11, P2K-SW-CORE 311. P/N 27-5618-3. Step 2 Upgrade of the hardware module, of the CK-721 controller, to version CK-721A. P/N 27-5379-1044 Step 3 Upgrade of the controller firmware, to current version. SSM4388_03.1.0.14_BB Step 4 Activation of encryption, as per the standard documentation. P/N 24-10618-147 Rev. A The use of encryption is considered a security industry best practice, and is recommended at all times. Additional information and support can be obtained by contacting JCI Customer Service, at 800-229-4076

Vendor Information

We are not aware of further vendor information regarding this vulnerability.