CVE-2021-36205 : What You Need to Know

Understand the details of CVE-2021-36205 affecting Metasys by Johnson Controls.

Understanding CVE-2021-36205

This CVE involves a vulnerability in Metasys where the session token is not cleared under specific circumstances.

What is CVE-2021-36205?

CVE-2021-36205 is a security vulnerability in Metasys by Johnson Controls that allows the session token to persist even after logout.

The Impact of CVE-2021-36205

The impact of this vulnerability is rated as HIGH according to the CVSS v3.1 metrics, affecting confidentiality, integrity, and availability of systems.

Technical Details of CVE-2021-36205

Get insights into the technical aspects of CVE-2021-36205 that security professionals should be aware of.

Vulnerability Description

The vulnerability arises from incomplete cleanup of session tokens, leading to potential security risks in the system.

Affected Systems and Versions

All 10 versions of Metasys ADS/ADX/OAS less than 10.1.5 and all 11 versions less than 11.0.2 are affected by this vulnerability.

Exploitation Mechanism

The vulnerability can be exploited through a network with high attack complexity and does not require any specific user privileges.

Mitigation and Prevention

Discover the necessary steps to mitigate and prevent exploitation of CVE-2021-36205.

Immediate Steps to Take

Update all Metasys ADS/ADX/OAS 10 versions with patch 10.1.5 and all 11 versions with patch 11.0.2 to address this vulnerability.

Long-Term Security Practices

Implement secure coding practices and regular security audits to prevent similar vulnerabilities in the future.

Patching and Updates

Stay informed about security advisories from Johnson Controls and apply patches promptly to secure your systems.