(On-Premises Only) Security advisory for Simulation Process Intelligence (3DOrchestrate Services) on 3DEXPERIENCE: March 11th, 2020
A vulnerability associated with Use of Hard-coded Credentials (CWE-798) exists in Simulation Process Intelligence (3DOrchestrate Services) on premises licensed program.
The security risk is evaluated as High (CVSS v.3.0 Base Score 8.0) and affects all 3DEXPERIENCE releases (from 3DEXPERIENCE R2014x to 3DEXPERIENCE R2020x).
Summary
A vulnerability associated with Use of Hard-coded Credentials (CWE-798) exists in Simulation Process Intelligence (3DOrchestrate Services) on premises licensed program.
The security risk is evaluated as High (CVSS v.3.0 Base Score 8.0) and affects all 3DEXPERIENCE releases (from 3DEXPERIENCE R2014x to 3DEXPERIENCE R2020x).
Risk Mitigation
This vulnerability cannot be exploited by default. It could have an impact only after configuration of the 3DOrchestrate component switching to ‘Regular Station mode’
Dassault Systèmes is not aware of any exploitation of this vulnerability as of today.
How to access & install the update
The vulnerability is fixed on the following releases under Full &/Or extended support (3DS Release Life Cycle information link)
Version | Fixed Levels |
3DEXPERIENCE | 3DEXPERIENCE R2017x.FP.CFA.2008 & upper FP 3DEXPERIENCE R2018x.FP.CFA.2011 (FD13) & upper FP 3DEXPERIENCE R2019x.FP.CFA.2013 (FD08) & upper FP 3DEXPERIENCE R2020x.FP.CFA.2006 (FD01) & upper FP All 3DEXPERIENCE Releases > 3DEXPERIENCE R2020x |
In addition of the current fixed releases above, we delivered out-of band fix for other release levels (3DS KB Article: QA00000065593)
We’re asking you to deploy either the official fixed levels or the patch to prevent any risk.
If you have any questions, concerns, or need assistance following the procedure, contact your local Dassault Systèmes Customer success team: https://www.3ds.com/support/contact/call-us