Product:
======== 
- BIS 4.7
- BIS 4.8
- BIS 4.9

Order numbers of the product:
- BIS-FVIE-BPA47
- BIS-FVIE-BPA48
- BIS-FVIE-BPA49

Date:
=====
18 October 2021

Problem:
========
A recently discovered security vulnerability in this product allows an unauthenticated attacker to cause an application crash (Denial of Service / DoS). If protected by a firewall the attack is limited to local signed-in users. Details can be found in CVE-2021-23859 at https://www.boschsecurity.com/xc/en/support/product-security/security-advisories.html 

Bosch rates the vulnerability for this product with CVSSv3.1 base scores from 5.5 (Medium), where the actual rating depends on the final rating on the customer’s environment.

Mitigation:
===========
In this README file we describe a patching process to replace a binary file on your installed system with a file that fixes the vulnerability. Future versions of this product will have this patch included and do not require manual patching. Customers are strongly advised to consider this patching procedure or migrate their system to a higher version when available. 

Disallowing connections to Port 40080 - 40099 TCP to the software / appliance by means of a firewall prevents the attacker from accessing the vulnerable interface. 

Patch files:
============
The patch can be downloaded from https://downloadstore.boschsecurity.com/index.php 
Select "Software" and "Building Integration System".
Download the file BIS-CVE-2021-23859.zip

The ZIP file contains:
- README-BIS-CVE-2021-23859.txt   (this file)
- vj_generic.dll                  (File version 6.40.54.0)


Update procedure:
=================
If you are using Video Engine with BIS application, then do the following at all the BIS client PC/Server.

- Close BIS client
- Open file explorer
- Navigate to: "C:\Program Files (x86)\Bosch\VideoSDK6\bin\Bosch.VideoSDK5.BVIP" folder
- Rename vj_generic.dll to vj_generic.dll_old
- Copy the vj_generic.dll from the zip file into this folder
- Start BIS client and use it.


Impress:
========
Bosch Security Systems B.V.
Torenallee 49
5617 BA, Eindhoven