Security Bulletins

Overview

The OPC Foundation publishes security bulletins that affect software that it maintains or distributes. In many cases these bulletins will affect code that OPC vendors incorporate into their products. As a result, vendors will have to patch their products to address the vulnerabilities identified.

Any vulnerabilities or security concerns should be reported to ‘securityteam AT opcfoundation DOT org’.
A PGP key to encrypt any sensitive security report can be found here.

Process

When an issue is reported, the OPC Foundation uses the Common Vulnerability Scoring System to rate vulnerability and requests a CVE number from MITRE. Vendors are encouraged to use the CVE number when they publish updates to their products so users can associate a product patch with a vulnerability reported by the OPC Foundation.

When vulnerabilities are reported they are first reviewed by the OPC UA Security WG to determine the best course of action. A notice is sent out to a SDK vendor mailing list that an issue has been reported that may require action on their part. SDK vendors receive advance notice because many OPC products are built with SDKs and addressing a vulnerability requires that the SDKs be updated first. Any OPC Foundation member that wishes to be informed before vulnerabilities are made public should send a request to join the UA Security WG.

After review, the Security WG will set a time line for making the vulnerability public. The time line will depend on the severity of the vulnerability and the time needed by SDK vendors to produce a patch for their products. When a vulnerability is made pubic it will appear on this page with details on where to find updated software. Any member of the public who wishes to receive notifications when new Security Bulletins are released to the public should join the OPC Security Bulletins Google Group.

When a vulnerability is made public, the OPC Foundation will notify MITRE.which means it will be made visible in their database. NIST will also automatically add the CVE to their database.

DateNumberTitleRating
5/15/2023CVE-2023-32787Security Update for the OPC UA Legacy Java Stack7.5 (high)
5/3/2023CVE-2023-31048Security Update for the OPC UA .NET Standard Reference Server5.3 (medium)
5/3/2023CVE-2023-27321Security Update for the OPC UA .NET Standard Reference Server7.5 (high)
11/17/2022CVE-2022-44725Security Security Update for Local Discovery Server (LDS)7.8 (high)
8/1/2022CVE-2022-33916Security Update for the OPC UA .NET Standard Reference Server5.3 (medium)
7/15/2022CVE-2022-29866Security Update for the OPC UA .NET Standard Stack7.5 (high)
6/15/2022CVE-2022-29862Security Update for the OPC UA .NET Standard Stack7.5 (high)
6/15/2022CVE-2022-29863Security Update for the OPC UA .NET Standard Stack7.5 (high)
6/15/2022CVE-2022-29864Security Update for the OPC UA .NET Standard Stack7.5 (high)
6/15/2022CVE-2022-29865Security Update for the OPC UA .NET Standard Stack6.5 (medium)
5/23/2022CVE-2022-30551Security Update for the OPC UA Legacy Java Stack7.5 (high)
3/1/2022CVE-2021-45117Security Update for Autogenerated ANSI C Stack Stubs6.0 (medium)
9/1/2021CVE-2021-40142Security Update for Local Discovery Server (LDS)7.5 (high)
5/18/2021CVE-2021-27432Security Update for the OPC UA .NET Standard Stack7.5 (high)
5/18/2021CVE-2021-27434Security Update for OPC UA Applications using .NET 4.5.1 or earlier7.2 (high)
3/10/2021CVE-2020-29457Security Update for the OPC UA .NET Standard Stack4.2 (medium)
4/15/2020CVE-2020-8867Security Update for the OPC UA .NET Standard Stack7.5 (high)
3/10/2020CVE-2019-19135Security Update for the OPC UA .NET and Java Clients7.5 (high)
9/25/2018CVE-2018-12087Security Update for the OPC UA Client Applications5.3 (medium)
9/12/2018CVE-2018-12086Security Update for the OPC UA Stacks7.5 (high)
9/12/2018CVE-2018-12585Security Update for the OPC UA Java and .NET Stack8.2 (high)
4/12/2018CVE-2018-7559Security Update for the OPC UA Stacks5.3 (medium)
12/6/2017CVE-2017-17443Security Update for Local Discovery Services (LDS)4.4 (medium)
7/31/2017CVE-2017-12070Security Update for OPC UA .NET Sample Applications4.9 (medium)
7/31/2017CVE-2017-12069Security Update for the OPC UA .NET Sample Code8.2 (high)
7/28/2017CVE-2017-11672Security Update for Local Discovery Services (LDS)4.4 (medium)