CVE-2019-17543 Rockwell Automation CVE debrief

Who should care

Organizations operating Rockwell Automation DataMosaix Private Cloud for industrial data management and analytics. OT security teams responsible for private cloud deployments in manufacturing and critical infrastructure environments. Asset owners utilizing DataMosaix for converged IT/OT data platforms who need to assess supply chain risks from third-party library dependencies.

Technical summary

The vulnerability resides in the LZ4 compression library (versions < 1.9.2) bundled with DataMosaix Private Cloud ≤7.07. The LZ4_compress_fast function, when invoked with large input buffers, can trigger a heap-based buffer overflow through the LZ4_compress_destSize code path. This memory safety defect may lead to data corruption and, under exploitation conditions, allow arbitrary code execution in the context of the application. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects network attack vector with high attack complexity due to required conditions for triggering the vulnerable code path.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade DataMosaix Private Cloud to version 7.09 or later to remediate the underlying LZ4 vulnerability.
• Apply network segmentation and access controls to limit exposure of DataMosaix Private Cloud instances to untrusted networks.
• Monitor for anomalous compression-related activity or unexpected process behavior that may indicate exploitation attempts.
• Review and implement CISA ICS recommended practices for industrial control system security.
• Consult Rockwell Automation security advisories for additional vendor-specific mitigation guidance.

Evidence notes

The vulnerability originates from LZ4 library versions before 1.9.2, not from Rockwell Automation proprietary code. The affected function LZ4_compress_fast with large input parameters triggers the heap overflow condition. Data corruption is cited as a secondary impact alongside potential remote code execution.

Official resources