Edit (23.05.2022): This issue is the same as CVE-2022-30551, which is published at OPC Foundation Security Bulletins.

Prosys OPC UA SDK for Java was selected as one of the targets for Pwn2Own Miami 2022 that was hosted by Zero Day Initiative (ZDI), this April. Security research teams were invited to compete for prizes for finding security exploits in various industrial control system (ICS) products. Other OPC UA SDKs were also among the targets in the OPC UA Server Category.

Several exploits were found from the products and one of them was also in our SDK:

“The Claroty Research (@claroty) team of Noam Moshe, Vera Mens, Amir Preminger, Uri Katz, and Sharon Brizinov used a resource exhaustion bug to execute their DoS on the Prosys OPC UA SDK for Java”.

ZDI and Claroty Research disclosed the details of the exploit to us so that we were able to fix the issue without making it public, yet, and the fix is now available. We recommend all our customers to update their products accordingly as soon as possible and release updated versions of their products to secure the industry from this exploit in future.

We have evaluated the exploit with CVSS Base Score 7.5 and Vector String CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

The exploit enables an unauthorized attacker to block OPC UA server applications so that they will no longer be able to serve client applications.

The vulnerability has been given an identifier ZDI-CAN-16441