Trust Center

Search items
ControlK

Overview

Welcome to the Inductive Automation Trust Portal

Thousands of companies worldwide depend on Ignition every day

Compliance

CCPA Logo
CCPA

Product Security

Audit Logging
Data Security
Integrations
View more

Reports

PCI DSS
Pentest Report

Self-Assessments

Other Self-Assessments
SIG Lite
VSA Core

Data Security

Access Monitoring
Backups Enabled
Data Erasure
View more

App Security

Code Analysis
Secure Development Training
Software Development Lifecycle
View more

Access Control

Data Access
Logging
Password Security

Infrastructure

Amazon Web Services
Anti-DDoS
Data Center
View more

Endpoint Security

Disk Encryption
DNS Filtering
Endpoint Detection & Response
View more

Network Security

Firewall
IDS/IPS
Security Information and Event Management
View more

Corporate Security

Asset Management Practices
Email Protection
Employee Training
View more

Policies

We are working to provide external versions of our policies. Please contact us if specific policies are needed.

Security Grades

Qualys SSL Labs
inductiveautomation.com
A
account.inductiveautomation.com
A
forum.inductiveautomation.com
A+
docs.inductiveautomation.com
A+
inductiveuniversity.com
A
icc.inductiveautomation.com
A
api.inductiveautomation.com
A+
licenses.inductiveautomation.com
A+
support.inductiveautomation.com
A+

Trust Center Updates

Inductive Automation Trust Center Updates

GeneralCopy link

Inductive Automation offers a special thanks to the following security researchers from Trend Micro Zero Day Initiative, Star Labs, Incite Team, and Claroty Research Team82 for their hard work in finding and responsibly disclosing security vulnerabilities described in this tech advisory. All reported issues have been resolved as of Ignition 8.1.35. Inductive Automation recommends upgrading Ignition to the current version to address known vulnerabilities.

ZDI-CAN-17571, ZDI-CAN-17587, ZDI-CAN-22028, ZDI-CAN-22029, ZDI-CAN-22067. Credit to Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative.

ZDI-CAN-19915. Credit to Nguyễn Tiến Giang (Jang) of STAR Labs SG Pte. Ltd, working with Trend Micro Zero Day Initiative.

ZDI-CAN-20290, ZDI-CAN-20291. Credit to Rocco Calvi (@TecR0c and Steven Seeley (mr_me of Incite Team working with Trend Micro Zero Day Initiative.

ZDI-CAN-20499. Credit to Claroty Research - Team82: Uri Katz, Noam Moshe, Vera Vens, Sharon Brizinov.

ZDI-CAN-21801, ZDI-CAN-21624, ZDI-CAN-21625, ZDI-CAN-21926. Credit to Nguyen Quoc Viet (Petrus Viet) of VNG Security Researcher working with Trend Micro Zero Day Initiative.

ZDI-CAN-22127. Credit to Andy Niu of Trend Micro.

CVE-02023-6834. Credit to Ngo Wei Lin (@Creastery) of STAR Labs SG Pte. Ltd. (@starlabs_sg).

Published at N/A*

Ignition 8.1.35 is now available for download. This release fixes the regression introduced in 8.1.34 with remote tags. Inductive Automation recommends that all customers prioritize their upgrade to 8.1.35 based on critical security updates addressing weaknesses disclosed in this Technical Advisory including code-signing improvements and protections against unsafe Java deserialization patterns. There are no publicly known exploits.

Inductive Automation recommends following the Ignition Security Hardening Guide, especially with regards to proper network segmentation, keeping the environment up to date, and working with trusted files and systems.

Published at N/A*

Ignition 8.1.34 has been removed from our website and will be replaced with 8.1.35 as soon as possible. The build includes an issue that causes remote tag states to reflect “Bad_Stale” quality in specific circumstances. This issue only applies to systems that leverage a remote tag provider (multiple Ignition gateways communicating over the Gateway Network).

Ignition 8.1.35 will be made available once the issue is fixed and tested. This version will be unchanged from 8.1.34 except for the fix. The update is expected to be available within 2 days or less.

If you’ve installed 8.1.34 and are affected by this issue, you have a couple of options:

  1. Revert to a prior version of Ignition. If you have a pre-8.1.34 Gateway backup, there is an option to revert the backend gateway to the previous version. An 8.1.34 Frontend works as expected.
  2. Stay on 8.1.34 and apply a workaround. Contact Inductive Automation Support to work around the issue with 8.1.34. This will involve installing additional modules on the backend gateway.

A new announcement will be posted when 8.1.35 is released. Inductive Automation recommends that all customers running 8.1.34 upgrade to the latest version once it is available.

Published at N/A*

Inductive Automation recommends that customers upgrade Ignition to 8.1.34. This version includes critical security updates addressing weaknesses disclosed in this Technical Advisory including code signing improvements and protections against unsafe Java deserialization patterns. There are no publicly known exploits. Additionally, Inductive Automation recommends following the Ignition Security Hardening Guide, especially with regards to proper network segmentation, keeping the environment up to date, and working with trusted files and systems.

Published at N/A*

As an update to our Technical Advisory on 8 August 2023, Inductive Automation is actively addressing vulnerabilities disclosed earlier this month as a top priority. ZDI-CAN-17571 (XXE attack) will be fixed in Ignition 8.1.32 (Sep 12th release). ZDI-CAN-20499 (OPC-UA resource exhaustion) is on track for 8.1.33 (Oct 17th). We completed design work including threat modeling and attack surface analysis and are working on implementation work addressing Java deserialization vulnerabilities. Additional reports have been submitted to IA from security researchers following the ZDI disclosure this month. These are being verified in detail and are believed to be variants of existing submissions that will be addressed by upcoming updates. These vulnerabilities can be mitigated by following best practices from the Ignition Security Hardening Guide, especially related to proper network segmentation, keeping the environment up to date, and working with trusted files and systems.

Published at N/A*

Today, the Zero Day Initiative (ZDI) published six security advisories related to Ignition 8.1. We are actively investigating and working on fixes. You can read our response to each of these advisories and our recommendations for mitigation at: https://support.inductiveautomation.com/hc/en-us/articles/18333051904653--Tech-Advisory-Regarding-the-Security-Advisories-Published-by-the-ZDI-on-8-August-2023

Published at N/A*

Trust Center Updates are the primary public information conduit for Coordinated Vulnerability Disclosure (CVD) with Ignition. Please subscribe for email updates. Posts and associated emails summarize Ignition-related vulnerabilities, issues, impact, and recommendations. Technical Advisory links will often include additional information.

Inductive Automation takes pride in significant investment in stability, security, quality, and privacy throughout the entire Ignition secure Software Development Lifecycle (SDLC) and associated processes. This includes a commitment to prioritize resolution, proactively seek vulnerabilities, and be transparent with our outstanding community. We love hiring regular third-party penetration testing and participating in the S4x Pwn2Own competition each year!

Recommendations: Inductive Automation provides resources such as the Ignition Security Hardening Guide and the Ignition Server Sizing and Architecture Guide. The online user manual, Inductive University, and forum, also provides free resources. Paid training is also available.

Inductive Automation recommends partnering with one of the thousands of System Integrators who can help navigate the process of securing and assuring Ignition within the customer environment throughout the system lifecycle in accordance with business requirements.

Reporting and communication: Inductive Automation welcomes all feedback, especially on security-related matters. The best email address is: security@inductiveautomation.com, using the Inductive Automation public PGP key if encrypted communication is needed. Support, Account Representatives, and Sales Engineers are also available to help.

Published at N/A*

Ignition is back to ICS Pwn2Own S4x23 Miami 14-16 Feb. 2023

GeneralCopy link

Inductive Automation fixed an RCE vulnerability disclosed by the Zero Day Initiative (ZDI), independently exploited by Team82 (Claroty) and 20urdjk "Urge" security researchers as part of the ICS Pwn2own 2023 ethical hacking competition. The update will be included in 8.1.26, available in the "nightly" build on Feb 17th.

https://inductiveautomation.com/downloads/ignition/

Great work from ZDI, Claroty, "Urge", and the Inductive Automation Development and QA teams!!!

Published at N/A

Announcement. Inductive Automation will be back to compete in the ICS/SCADA-themed Pwn2Own event at S4x in Miami for the “OPC UA Server” and “OPC UA Client” categories. Attack Scenarios are: Denial of Service (DOS), Remote Code Execution (RCE), Credential Theft, and Bypass Trusted Application Check. Other categories include “Data Gateway” and “Edge”.

Best of luck to all participants! Updates to follow as vulnerabilities are found and fixed!

ZDI Announcement

Published at N/A*

Session token appears to exist in Ignition login URL. False Positive

GeneralCopy link

False positive. The best practice configuration recommendation is to enforce https (TLS 1.2+) with genuine certificates in accordance with the Ignition Security Hardening Guide, preferably enabling HSTS.

Background. Some cybersecurity scanning tools flag on a URL string like "idp/default/authn/login?token=xxxx", assuming that the token is a session identifier. It is not. The token is a cryptographic nonce with a short "time to live" value. Ignition uses the token to orchestrate the handoff between the internal Ignition Identity Provider's OpenID Connect authorization endpoint and the authentication workflow. This is separate from a possible nonce variable that might also appear in the same URL string.

The token is bound to the user's session which is tracked by an HTTP cookie passed in the HTTP headers. The session cookie is protected when Ignition is properly configured to use https. Therefore, it follows that as long as a user's session is secure, associated tokens will also be secure, even if they are leaked, since an attacker would have to know the session ID in order to use the token.

Published at N/A*

Ignition is not impacted by OpenSSL vulnerabilities

IncidentsCopy link

Informational. Ignition is not affected by the OpenSSL vulnerabilities in CVE-2022-3786 and CVE-2022-3602. No action required.

After a comprehensive search for usage of the offending libraries, Inductive Automation has determined that Ignition has no reliance on, and found no evidence of OpenSSL 3.0.x.

Published at N/A

Regarding CVE-2022-42889 (Apache Commons Text)

IncidentsCopy link

Informational. Recommend upgrading to Ignition 8.1.23+. Ignition 8 versions before 8.1.23 are bundled with a vulnerable version of the Apache Commons Text library. However, Inductive Automation assesses the vulnerability at “low risk” based on the fact that Ignition does not invoke any of the vulnerable functions. In other words, a local cybersecurity scanning tool+ may note the existence of the binary, but associated exploits are unlikely to work.

Version 8.1.23+ updates the dependency to 1.10.0, which fixes the CVE.

Tech advisory link.

Published at N/A*

Ignition Embedded SVG problem from 7.9.x (fixed 8.1.23)

GeneralCopy link

Informational. Low impact. Upgrade to 8.1.23+ to fix. Ignition 8 versions before 8.1.23 do not properly process SVG images stored in pre-release (Alpha and Beta) versions of 8.x (prior to April 10, 2019).

The tech advisory provides upgrade instructions.

Published at N/A*

Ignition Linux ARMv6 and ARMv7 compatibility (8.1.22 update)

GeneralCopy link

Informational. Ignition version 8.1.22, released 11/1/2022, includes an updated version of its Internal Database (SQLite) that requires a newer version of GLIBC on Linux systems running on ARMv6 and ARMv7 hardware.

The minimum required GLIBC version on ARMv6 and ARMv7 hardware will increase from v2.4 to v2.28. Consequently, some older operating systems that ship with older versions of GLIBC will be unable to run newer versions of Ignition.

The minimum required GLIBC version on x86-64 hardware remains v2.3.

Known affected: Debian 9 and its derivatives such as Raspbian 9 Debian 9 reached EOL status on June 30, 2022

Tech advisory link.

Published at N/A*

Ignition CVE-2022-1704 (fixed 7.9.21 and 8.1.8)

IncidentsCopy link

Update Ignition to 8.1.8 or greater. On July 26, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) published an Industrial Control Systems (ICS) Advisory ICSA-22-207-01 disclosing Ignition security vulnerability CVE-2022-1704 that was patched in version 8.1.8.

The vulnerability enables an attacker to compromise an Ignition Gateway if a privileged Ignition user restores a maliciously crafted backup file.

Tech advisory link

Published at N/A

Microsoft SQL Server Database compatibility. TLS v1.0 and v1.1 no longer supported by default. Recommend TLS 1.2+.

GeneralCopy link

Configure Ignition Gateway MS SQL Server connections to use TLS 1.2 or 1.3. A Java 8 (8u291+) and corresponding Java 11 (11.0.11+) security update disables the use of TLS 1.0 and 1.1, which is a recommended cybersecurity best practice. The recommended fix is to update MS SQL Server database connections on Ignition gateways (not individual Vision or Perspective runtime clients) to TLS 1.2 or 1.3. This might require configuration changes on the database server(s). Seek support from IT departments as applicable.

The IA Tech advisory includes instructions including links from Microsoft. Alternatively, it describes how to configure Java to connect using less secure TLS 1.0 or 1.1 (not recommended).

Published at N/A*

Ignition 2022 Pwn2Own Vulnerabilities (fixed 7.9.20 and 8.1.17).

GeneralCopy link

Update Ignition to 8.1.17 or greater. On April 19-21, 2022, Trend Micro’s Zero Day Initiative (ZDI) brought their Pwn2Own competition back to the ICS world for a second time at the S4x22 conference. Inductive Automation eagerly participated after a successful ICS Pwn2Own at S4x20.

The Pwn2Own competition resulted in 32 entries registered by 11 contestants. Of 6 entries targeting Ignition, 4 successfully demonstrated unique exploits, 1 was a duplicate, and 1 failed to be successfully demonstrated in the time allotted. All 6 entries targeting Ignition were responsibly disclosed to Inductive Automation. One additional finding was separately disclosed by researchers who were unable to compete.

Inductive Automation thanks the ZDI and all participating researchers.

See tech advisory for detailed information.

Published at N/A*

Active Directory SSO Disabled for 8.1.17 & 7.9.20. Feature no longer safe.

GeneralCopy link

Informational. Ignition no longer supports Single Sign On (SSO) with native Active Directory user source profiles (LDAP based). There will not be a “fix” using this technology set. The implication is that a user must separately log on to Windows and Ignition environments (Designer, Gateway, and Clients). Inductive Automation recommends integration with Identity Providers using the modern OpenID Connect or SAML protocols. For Microsoft environments, this could be AzureAD or many other options.

Tech advisory link

Published at N/A

CISA National Cyber Awareness System (NCAS) Alert AA22-103A. Informational.

GeneralCopy link

No known Ignition impact. On April 13, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) published National Cyber Awareness System (NCAS) Alert ICSA-22-102-03 (pdf Report)which mentioned an Advanced Persistent Threat (APT) tool for OPC-UA. See the OPC Foundation response.

Tech advisory link

Published at N/A*

Ignition CVE-2022-1264 (patched 8.1.0)

IncidentsCopy link

Update Ignition to 8.1.0 or greater. On April 12, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) published an Industrial Control Systems (ICS) Advisory ICSA-22-102-03 disclosing an Ignition security vulnerability that was patched in version 8.1.10.

The vulnerability enables an attack allowing placement of arbitrary files on the host OS of an Ignition Gateway if a privileged Ignition user restores a maliciously crafted backup file.

Tech advisory link

Published at N/A*

Ignition not affected by Log4j vulnerability (CVE-2021-44228).

IncidentsCopy link

Informational. Inductive Automation completed a full audit of direct and transitive dependencies in Ignition to confirm that log4j vulnerabilities to not apply to any supported or unsupported release of Ignition, and as such it is not vulnerable to the RCE outlined in CVE-2021-44228 or Chainsaw GUI vulnerabilities associated with CVE-2022-23307. This includes LTS versions 7.9 and 8.1, as well as all past and non-LTS versions.

Tech advisory link.

Published at N/A*

Ignition Critical Settings Issue (Port Reset in 8.1.8). Build removed.

GeneralCopy link

Informational. Regression disclosure. Installing Ignition 8.1.8 resets network ports to default values (http=8080, https=8043, Gateway Network=8060). This build was promptly taken down and updated as 8.1.9. Quality assurance remedial actions were taken.

Tech advisory link.

Published at N/A*

Ignition Critical Settings Issue (UDT import overwrite in 8.1.6). Build removed.

GeneralCopy link

Informational. Regression disclosure. Installing Ignition 8.1.6 introduces a problem when importing User Defined Type (UDT) tags. This build was promptly taken down and updated as 8.1.7. Quality assurance remedial actions were taken.

Tech advisory link.

Published at N/A*

If you think you may have discovered a vulnerability, please send us a note.

Powered bySafeBase Logo