AVEVA PI Data Archive Uncaught Exception Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in AVEVA PI Data Archive products, specifically in versions 2018 SP3 Patch 4 and prior, as well as versions 2023 and 2023 Patch 1. The vulnerability arises from an uncaught exception that can be exploited by an authenticated user to shut down essential PI Data Archive subsystems. This disruption may cause a denial-of-service condition, with the potential loss of data in snapshots or write cache.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, causing certain PI Data Archive subsystems to shut down. Depending on when the crash occurs, there may be a loss of data in snapshots or write cache.

Remediation

Users can upgrade to PI Server 2024 or higher to address this vulnerability. Alternatively, for those using PI Data Archive 2018 SP3 Patch 4 and all prior or PI Server 2018 SP3 Patch 6 and all prior, upgrading to PI Server 2018 SP3 Patch 7 or higher is recommended. For additional guidance, users can consult the OSIsoft Customer Portal or refer to AVEVA's security update page.