CVE-2019-14855 Red Hat CVE debrief

Who should care

Organizations operating Rockwell Automation DataMosaix Private Cloud environments, particularly industrial and manufacturing entities using this platform for data management. Security teams responsible for OT/ICS infrastructure, certificate management administrators, and compliance officers monitoring cryptographic standards in industrial environments should prioritize this update.

Technical summary

The vulnerability exists because DataMosaix Private Cloud utilizes GnuPG, which implements the SHA-1 algorithm for certificate signatures. SHA-1 has known cryptographic weaknesses that enable collision attacks, allowing a threat actor to create forged certificate signatures. Successful exploitation could result in a malicious user viewing customer data. The attack vector is network-based with low attack complexity and no required privileges or user interaction. The vulnerability affects confidentiality through potential unauthorized data access.

Defensive priority

HIGH

Recommended defensive actions

• Update DataMosaix Private Cloud to version 7.09 or later to address the GnuPG SHA-1 certificate signature vulnerability.
• Review and implement Rockwell Automation security best practices as referenced in their security advisory documentation.
• Monitor certificate validation processes and consider additional certificate pinning or verification mechanisms for sensitive data access.
• Apply network segmentation and defense-in-depth strategies to limit exposure of DataMosaix Private Cloud instances.

Evidence notes

The vulnerability description and remediation guidance are sourced from CISA CSAF advisory ICSA-24-284-16, which identifies DataMosaix Private Cloud <=7.07 as affected and version 7.09 as the remediation release. The CVSS score of 7.5 (HIGH) is provided in the source material.

Official resources