Advisories for Nuget/OPCFoundation.NetStandard.Opc.Ua package

This security update resolves a vulnerability in the OPC UA .NET Standard Stack that enables an unauthorized attacker to trigger a rapid increase in memory consumption.

This security update resolves a vulnerability in the OPC UA .NET Standard Stack that allows an unauthorized attacker to trigger a gradual degradation in performance.

The OPC UA .NET Standard Reference Server before 1.4.371.86. places sensitive information into an error message that may be seen remotely.

OPC UA .NET Standard Stack 1.04.368 allows a remote attacker to cause a server to crash via a large number of messages that trigger Uncontrolled Resource Consumption.

OPC UA .NET Standard Stack 1.04.368 allows a remote attacker to exhaust the memory resources of a server via a crafted request that triggers Uncontrolled Resource Consumption.

An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.

OPC UA .NET Standard Stack 1.04.368 allows remote attacker to cause a crash via a crafted message that triggers excessive memory allocation.

OPC UA .NET Standard Stack allows a remote attacker to bypass the application authentication check via crafted fake credentials.

OPC Foundation UA .NET Standard and OPC UA .NET Legacy are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow.

A Privilege Elevation vulnerability in OPC UA .NET Standard Stack could allow a rogue application to establish a secure connection.

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to create a denial-of-service condition against the application.

In OPC Foundation OPC UA .NET Standard codebase, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua, which allows man in the middle attackers to reuse encrypted user credentials sent over the network.

Failure to validate certificates in OPC Foundation UA Client Applications communicating without security allows attackers with control over a piece of network infrastructure to decrypt passwords.

Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests.

An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can allow remote attackers to trigger a denial of service.

Unsigned versions of the DLLs distributed by the OPC Foundation may be replaced with malicious code.

An issue was discovered in OPC UA .NET Standard Stack and Sample Code before GitHub commit, and OPC UA .NET Legacy Stack and Sample Code before GitHub commit . A vulnerability in OPC UA applications can allow a remote attacker to determine a Server's private key by sending carefully constructed bad UserIdentityTokens as part of an oracle attack.