We use responsible vulnerability management to help improve the safety and security of our products and connected solutions.
Vulnerability Management
A core tenant of our work at Trane Technologies is, “we do what’s right, always.” This includes how we serve, support and protect our customers.
The Trane Technologies Product Security Incident Response Team provides a disciplined approach to vulnerability disclosure and notification. We seek to validate, analyze and mitigate potential vulnerabilities in a responsible manner to minimize our customers’ risk. We encourage security researchers, industry organizations, third party component suppliers and our customers to contact us with any potential vulnerabilities.
We are prepared to work in good faith with individuals and researchers that report potential vulnerabilities through our Vulnerability Disclosure Process, adhere to applicable laws and avoid harm to others in the testing process. With the reporting party’s consent, we will acknowledge individuals for their vulnerability reporting and collaboration with Trane Technologies.
Vulnerability Disclosure Process
Trane Technologies uses a coordinated vulnerability disclosure procedure, where a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability. Protecting customers is one of Trane Technologies’ highest priorities. We endeavor to address each vulnerability submission in a timely manner. While we are doing that, we require that vulnerability submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. Trane Technologies will notify you when the potential vulnerability in your submission is addressed.
Trane Technologies reserves the right to modify or amend the disclosure process and our submission terms at any time consistent with the requirements of the relevant principles and applicable law.
Product Security Advisories
ID
|
Product Name
|
Brand
|
CVE
|
Description
|
Last Updated
|
Documentation
|
CSAF
|
---|---|---|---|---|---|---|---|
ID-2023-01
|
XL824, XL850, XL1050, and Pivot thermostats
|
Trane
|
CVE-2023-4212
|
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
6-Nov-23
|
N/A
|
|
ID-2021-02
|
Tracer SC, Tracer SC+, Tracer Concierge
|
Trane
|
CVE-2021-38450
|
CWE-94: Improper Control of Generation of Code ('Code Injection')
|
10-Jul-23
|
N/A
|
|
ID-2021-02
|
Tracer SC
|
Trane
|
CVE-2021-42534
|
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|
27-Oct-21
|
N/A
|
|
ID-2021-01
|
Symbio 700, Symbio 800
|
Trane
|
CVE-2021-38448
|
CWE-94: Improper Control of Generation of Code ('Code Injection')
|
10-May-22
|
N/A
|
|
ID-2017-02
|
Trane Comfort Link II
|
Trane
|
CVE-2015-2867
|
CWE-798: Use of Hard-coded Credentials
|
10-Jan-17
|
N/A
|
|
ID-2017-01
|
Trane Comfort Link II
|
Trane
|
CVE-2015-2868
|
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
|
10-Jan-17
|
N/A
|
|
ID-2016-01
|
Trane Tracer SC
|
Trane
|
CVE-2016-0870
|
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
|
28-Nov-16
|
N/A
|
Reporting a Potential Product Vulnerability
Trane Technologies works with customers and researchers to address product cybersecurity vulnerabilities. Help us to continually improve our products by reporting a potential vulnerability within our offer portfolio or digital platform. By providing a vulnerability disclosure submission to Trane Technologies, we ask that you:
Trane Technologies supports Safe Harbor reporting. Safe Harbor supports the protection of organizations and hackers engaged in Good Faith Security Research. To encourage the coordinated disclosure of product security vulnerabilities, we will consider security research tied to vulnerability disclosure activities as authorized conduct under the Computer Fraud and Abuse Act and will not pursue civil or criminal action.
Please provide details on the application or product impacted by the vulnerability and a short generic description of the issue. You will be contacted by our Product Security Incident Response Team to secure additional details about the reported vulnerability.
If further information is required, please use the PGP Public Key and Fingerprint to transmit details.
Download PGP Public Key and Fingerprint: B49A 1C70 5021 2202 B45C B28B 4DA2 200E 4B1E 0CD6