CVE-2018-0739 OpenSSL CVE debrief

Who should care

Administrators and engineers responsible for Festo Automation Suite deployments, especially installations below 2.8.0.138 and systems using the listed CODESYS Development System versions. OT/ICS patch managers should also care because the advisory is published through CISA and addresses industrial software distribution.

Technical summary

The supplied CVE text describes a recursive ASN.1 type parsing problem that can consume stack space until the process crashes, resulting in denial of service. The advisory context maps the issue to Festo Automation Suite/CODESYS product combinations and notes that starting with Festo Automation Suite 2.8.0.138, CODESYS is no longer bundled and must be obtained and updated separately. The reported CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating availability impact only.

Defensive priority

Medium

Recommended defensive actions

• Upgrade Festo Automation Suite to version 2.8.0.138 or later.
• Download and install the latest patched CODESYS release directly from the official CODESYS website.
• Follow vendor installation and update guidance to ensure all security fixes are applied.
• Keep the Festo Automation Suite connector up to date as new releases are published.
• Monitor Festo, CODESYS, and CISA advisories for follow-on updates or clarifications.

Evidence notes

The primary source is a CISA republication of a Festo advisory (ICSA-26-076-01 / FSA-202601). The embedded CVE description text is the generic ASN.1 recursion/stack exhaustion statement that references OpenSSL fixes, while the advisory metadata identifies affected Festo Automation Suite and CODESYS versions. The vendor mapping supplied with the prompt is marked low-confidence and needs review, so the product association should be treated as advisory-supplied context rather than independently verified.

Official resources