CVE-2019-19244 Rockwell Automation CVE debrief

Who should care

Organizations operating Rockwell Automation DataMosaix Private Cloud for industrial data management, particularly in manufacturing, energy, and critical infrastructure sectors where availability of data services is essential for operational continuity.

Technical summary

The vulnerability resides in SQLite 3.30.1's query processing logic, specifically in sqlite3Select within select.c. A malformed subselect statement combining DISTINCT, window functions, and ORDER BY can trigger an application crash. This represents a classic software composition risk where a third-party library vulnerability propagates to dependent industrial software. The attack vector is network-accessible and requires no privileges or user interaction, making automated exploitation feasible.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade DataMosaix Private Cloud to version 7.09 or later to eliminate the vulnerable SQLite component
• Apply network segmentation and access controls to limit exposure of DataMosaix Private Cloud instances to untrusted networks
• Monitor for unexpected application crashes or restart events that may indicate exploitation attempts
• Implement input validation and query filtering if custom SQL interfaces are exposed
• Review and apply Rockwell Automation security best practices for industrial control system deployments

Evidence notes

The vulnerability stems from SQLite 3.30.1 bundled with DataMosaix Private Cloud. The crash condition requires a crafted SQL subselect using DISTINCT, window functions, and specific ORDER BY usage. CISA published advisory ICSA-24-284-16 on 2024-10-10 with remediation guidance.

Official resources