AVEVA PI Data Archive Uncaught Exception Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in AVEVA PI Data Archive products, specifically in versions 2018 SP3 Patch 4 and prior, as well as versions 2023 and 2023 Patch 1. The vulnerability arises from an uncaught exception that can be exploited by an authenticated user to shut down essential PI Data Archive subsystems. This disruption may result in a denial-of-service condition, with the potential loss of data stored in snapshots or the write cache, depending on when the crash occurs.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by shutting down critical PI Data Archive subsystems, potentially leading to the loss of cached data.

Remediation

Users can upgrade to PI Data Archive 2024 or higher to address this vulnerability. For those using PI Data Archive 2018 SP3 Patch 4 and all prior versions, the vulnerability can be fixed by upgrading to PI Server 2018 SP3 Patch 7 or higher. Instructions for downloading the updated version are available on the OSIsoft Customer Portal.