CVE-2022-1704: 
Inductive Automation Ignition vulnerability analysis and mitigation

CVE-2022-1704 is a vulnerability discovered in Inductive Automation's Ignition software that affects versions from 8.1 to those prior to v8.1.8 and all 7.9 versions prior to v7.9.21. The vulnerability was disclosed on July 26, 2022, and involves an improper restriction of XML external entity reference in the backup/restore functionality (CISA Advisory).

The vulnerability is classified as an XML External Entity (XXE) Reference vulnerability (CWE-611). The specific issue stems from the software parsing XML in the backup/restore functionality without proper XML security flags, which could lead to an XXE attack during backup restoration. The vulnerability has been assigned a CVSS v3 base score of 7.6 with the vector string AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L (CISA Advisory).

Successful exploitation of this vulnerability could allow an attacker to obtain file contents from the affected system. The vulnerability affects critical infrastructure sectors including Critical Manufacturing, Energy, and Information Technology, particularly in the United States (CISA Advisory).

Inductive Automation recommends upgrading the Ignition software to version 8.1.9 or later for 8.x users, or version 7.9.21 or later for 7.9.x users. Additional security measures include minimizing network exposure for control system devices, ensuring systems are not accessible from the Internet, locating control system networks behind firewalls, and using secure methods like VPNs when remote access is required (CISA Advisory).