The OPC Foundation publishes security bulletins that affect software that it maintains or distributes. In many cases these bulletins will affect code that OPC vendors incorporate into their products. As a result, vendors will have to patch their products to address the vulnerabilities identified.
When an issue is reported, the OPC Foundation uses the Common Vulnerability Scoring System to rate vulnerability and requests a CVE number from MITRE. Vendors are encouraged to use the CVE number when they publish updates to their products so users can associate a product patch with a vulnerability reported by the OPC Foundation.
When vulnerabilities are reported they are first reviewed by the OPC UA Security WG to determine the best course of action. A notice is sent out to a SDK vendor mailing list that an issue has been reported that may require action on their part. SDK vendors receive advance notice because many OPC products are built with SDKs and addressing a vulnerability requires that the SDKs be updated first. Any OPC Foundation member that wishes to be informed before vulnerabilities are made public should send a request to join the UA Security WG.
After review, the Security WG will set a time line for making the vulnerability public. The time line will depend on the severity of the vulnerability and the time needed by SDK vendors to produce a patch for their products. When a vulnerability is made pubic it will appear on this page with details on where to find updated software. Any member of the public who wishes to receive notifications when new Security Bulletins are released to the public should join the OPC Security Bulletins Google Group.
|7/31/2017||CVE-2017-12070||Security Update for OPC UA .NET Sample Applications||4.9 (medium)|
|7/31/2017||CVE-2017-12069||Security Update for the OPC UA .NET Sample Code||8.2 (high)|
|7/28/2017||CVE-2017-11672||Security Update for Local Discovery Services (LDS)||4.4 (medium)|
|12/6/2017||CVE-2017-17443||Security Update for Local Discovery Services (LDS)||4.4 (medium)|
|4/12/2018||CVE-2018-7559||Security Update for the OPC UA Stacks||5.3 (medium)|
|9/12/2018||CVE-2018-12086||Security Update for the OPC UA Stacks||7.5 (high)|
|9/12/2018||CVE-2018-12585||Security Update for the OPC UA Java and .NET Stack||8.2 (high)|
|9/25/2018||CVE-2018-12087||Security Update for the OPC UA Client Applications||5.3 (medium)|
|3/10/2020||CVE-2019-19135||Security Update for the OPC UA .NET and Java Clients||7.5 (high)|
|4/15/2020||CVE-2020-8867||Security Update for the OPC UA .NET Standard Stack||7.5 (high)|
|3/10/2021||CVE-2020-29457||Security Update for the OPC UA .NET Standard Stack||4.2 (medium)|
|5/18/2021||CVE-2021-27432||Security Update for the OPC UA .NET Standard Stack||7.5 (high)|
|5/18/2021||CVE-2021-27434||Security Update for OPC UA Applications using .NET 4.5.1 or earlier||7.2 (high)|
|9/1/2021||CVE-2021-40142||Security Update for Local Discovery Server (LDS)||7.5 (high)|
|3/1/2022||CVE-2021-45117||Security Update for Autogenerated ANSI C Stack Stubs||6.0 (medium)|
|5/23/2022||CVE-2022-30551||Security Update for the OPC UA Legacy Java Stack||7.5 (high)|
|6/15/2022||CVE-2022-29862||Security Update for the OPC UA .NET Standard Stack||7.5 (high)|
|6/15/2022||CVE-2022-29863||Security Update for the OPC UA .NET Standard Stack||7.5 (high)|
|6/15/2022||CVE-2022-29864||Security Update for the OPC UA .NET Standard Stack||7.5 (high)|
|6/15/2022||CVE-2022-29865||Security Update for the OPC UA .NET Standard Stack||6.5 (medium)|
|6/15/2022||CVE-2022-29866||Security Update for the OPC UA .NET Standard Stack||7.5 (high)|