Product:
======== 
- APE 3.8.x.x (with Video functionality enabled only)

If you are using an older version, please update your system first to APE 3.8 x.x and follow the next steps then

Order numbers of the product:
- ASL-APE3P-VIDB
- ASL-APE3P-VIDE

Date:
=====
18 October 2021

Problem:
========
A recently discovered security vulnerability in this product allows an unauthenticated attacker to cause an application crash (Denial of Service / DoS). If protected by a firewall the attack is limited to local signed-in users. Details can be found in CVE-2021-23859 at https://www.boschsecurity.com/xc/en/support/product-security/security-advisories.html 

Bosch rates the vulnerability for this product with CVSSv3.1 base scores from 7.5 (High), where the actual rating depends on the final rating on the customer’s environment.

Mitigation:
===========
In this README file we describe a patching process to replace a binary file on your installed system with a file that fixes the vulnerability. Future versions of this product will have this patch included and do not require manual patching. Customers are strongly advised to consider this patching procedure or migrate their system to a higher version when available. 

Disallowing connections to Port 40080 - 40099 TCP to the software / appliance by means of a firewall prevents the attacker from accessing the vulnerable interface. 

Patch files:
============
The patch can be downloaded from https://downloadstore.boschsecurity.com/index.php 
Select "Software" and "Access Professional Edition".
Download the file APE-CVE-2021-23859.zip

The ZIP file contains:
- README-APE-CVE-2021-23859.txt   (this file)
- vj_generic.dll                  (File version 6.40.54.0)

Update procedure:
=================
Patch has to be done on all systems where the VDSK has been installed.

- Please check, if you have already installed VideoSDK.06.32.0099.x86.
   If not please update the VSDK first. 

- Close all open APE applications.
- Open file explorer
- Navigate to C:\Program Files (x86)\Bosch\VideoSDK6\bin\Bosch.VideoSDK5.BVIP
  (If you have installed the VSDK at another place, please navigate to this folder)
- Rename vj_generic.dll to vj_generic.dll_old
- Copy the vj_generic.dll from the zip file into this folder
- Applications can be started again

Impress:
========
Bosch Security Systems B.V.
Torenallee 49
5617 BA, Eindhoven