Customer Support

What can we help you with?

Find the Help You Need

Have a question? Find the answers you need by searching our knowledge base, visiting our community forum or watching our helpful online training videos.

Contact Us

Our support team is available to help you Monday - Friday 6am - 5pm PST.

Phone
Inductive Automation Corporate
+1 (800) 266-7798 Toll Free (USA)
+1 (916) 456-1045 International


Other Ways to Get Help

RSS Feed

Latest Updates

Feb
11
Ignition 7.7.7 Now Available
Posted by Peggie Wong on 02/11/2016 02:21 PM

The 7.7.7 official release is now available for download on the Ignition downloads page, which you can find here. It contains minor features and bug fixes. You can view a complete list of this in the change log here.

WARNING: This version of Ignition uses a different implementation for the internal database, which has wide-ranging effects on the Ignition platform. It is highly recommended to take a gateway backup if doing an upgrade. Please visit the following URL for more information before installing: Internal DB Knowledge Base Article


Read more »



Jan
25
Ignition 7.8.1 Available for Download
Posted by Peggie Wong on 01/25/2016 09:11 AM

The 7.8.1 official release is now available for download on the Ignition downloads page, which you can find here. It contains new features and bug fixes. You can view a complete list of this in the change log here.

7.8.1 is now the recommended download for new installations and upgrades.


Read more »



Oct
19
7.8.0 Available for Download
Posted by Peggie Wong on 10/19/2015 09:41 AM

The 7.8.0 official release is now available for download on the Ignition downloads page, which you can find here. It contains new features and bug fixes. You can view a complete list of this in the change log here.

If upgrading from a previous version, please check with your Account Executive that your license is eligible for 7.8 prior to upgrading.


Read more »



Jul
28
7.7.5 Now Available
Posted by Peggie Wong on 07/28/2015 08:33 AM

The 7.7.5 official release is now available for download on the Ignition downloads page, which you can find here. It contains new features and bug fixes. You can view a complete list of this in the change log here.

7.7.5 is now the recommended download for new installations and upgrades.


Read more »



Apr
2
ICS-CERT Advisory ICSA-15-090-01
Posted by Dave Fogle on 04/02/2015 01:38 PM

Overview

On March 31st, 2015, ICS-CERT published an advisory regarding Ignition that includes five separate security issues. These issues are not highly dangerous exploits, and most customers will not require immediate action to mitigate the risk that these issues pose. To facilitate better understanding of each issue included in the advisory, we describe each one here in terms relevant to users of Ignition, as well as the security impact and risk mitigation factors for each issue. 

Advisory Breakdown

All of these issues are resolved in Ignition 7.7.4, and will be backported to the next 7.5 LTS release, 7.5.14

 Cross-site scripting (XSS) CVE-2015-0976

When you web-launch a Vision client, you use a technology called Java Web Start. The way this works is that you go to a URL on our Ignition Gateway, and it generates a "JNLP" file for the Vision Client application. Java Web Start then reads this JNLP file, and it contains the information needed to download and launch our client application. This vulnerability involves creating a carefully manipulated URL, which causes the JNLP to tell Web-Start to load a different program, instead of our client application. The impact here is that if an attacker created a URL that loaded their own program and then convinced someone that it was a genuine Ignition URL, they could have that person launch a malicious application. Low impact, mitigated by ensuring you don't launch the Vision Client from an un-trusted link (for example, an unsolicited email), or by using the Native Client Launcher.

Information Exposure Through Error Message CVE-2015-0991

This vulnerability is describing how our Gateway responds to certain invalid URLs with an error message, and that error message has information about the server and application that generated it. Best practice is to not leak this sort of information via error messages. Very low impact.

Insecure Storage of Sensitive Information CVE-2015-0992

When you configure an OPC server connection, you have to provide credentials for the connection. We store those connections in our internal database of settings for the Ignition Gateway. Previous to Ignition 7.7.4, these credentials were being stored in plain text inside this database. As of 7.7.4, the credentials are encrypted. In order to exploit this vulnerability, an attacker would need to have local disk access to the server running the Gateway. Low impact, mitigated by protecting local disk access to the Ignition Gateway server.

Insufficient Session Expiration CVE-2015-0993

When you log into the configuration section of the Ignition Gateway, you get an authorized session. This vulnerability describes a way in which your authorized session could still be used for a short time even after you have logged out. An attacker who had captured session information from the network would then be able to replay commands using the authorized session. Medium impact, high sophistication level required. Mitigated by using SSL.

Bypass Anti-Bruteforce CVE-2015-0994

When you log into the Ignition Gateway, you may only enter a failed password a small number of times before the gateway blocks you from trying again for about a minute. This is called an anti-brute-force protection. It protects against someone running a program that attempts to log in tens of thousands of times in a row, using a dictionary of commonly used passwords. By injecting a delay, the brute-force mechanism is slowed down so much that it would take an unreasonable amount of time to try all of the known, common passwords. This vulnerability describes a manner in which our brute force mechanism could be bypassed. Low impact, mitigated by using good passwords.

Use of Password Hash with Insufficient Computational Effort CVE-2015-0995

When you manage users within Ignition, the Ignition Gateway stores the usernames in the internal settings database. Their passwords, however, are not actually stored. Something called a "hash" of the password is stored instead. A hash is like a one-way encoding. Given a password, it will always create the same hash number, but you cannot take a hash number and derive the password. This is a safety mechanism that lets us check that a password is correct, without actually storing the password so that if someone has a gateway backup, they cannot see the passwords inside it. We had been using a hashing mechanism called "MD5". This mechanism is out of date, and no longer considered secure, because there exist things called "rainbow tables" which are huge tables of md5 hashes for common passwords. As of Ignition 7.7.4, we have updated the passwords to use a salted SHA-256 hashing strategy. Low impact, mitigated by using good passwords.


Read more »