SSA-661247: ApacheLog4jVulnerabilities(Log4Shell, CVE-2021 ...

1 siemens Security Advisory by siemens ProductCERTSSA-661247:ApacheLog4jVulnera bilities(Log4 Shell, CVE-2021 -44228, CVE-2021 -45046)-Imp acttoSiemensProductsPublication Date:2021-12-13 Last Update:2022-06-14 Current Base Score: 2021-12-09, a vulnerability in Apache Log4j (a logging tool used in many Java-based applications)was disclosed, that could allow remote unauthenticated attackers to execute code on vulnerable vulnerability is tracked as CVE-2021 -44228 and is also known as Log4 Shell .On 2021-12-14 an additional denial of service vulnerability ( CVE-2021 -45046) was published renderingthe initial mitigations and fix in version as incomplete under certain non-default versions and are supposed to fix both 2021-12-17, CVE-2021 -45046 was reclassified with an increased CVSS base score (from to ).

2 The potential impact of CVE-2021 -45046 now includes - besides denial of service - also informationdisclosure and local (and potential remote) code is currently investigating to determine which products are affected and is continuously updatingthis advisory as more information becomes available. See section Additional Information for more detailsregarding the investigation : two additional vulnerabilities were published for Apache Log4j, the impact of which are documentedin SSA-501673: ( CVE-2021 -45105) andSSA-784507: ( CVE-2021 -44832).AFFECTEDPRODUCTSANDSOLU TIONA ffected Product and VersionsRemediationAdvantage Navigator Energy & Sustainability:All versions < 2021-12-13 Vulnerability CVE-2021 -44228 fixed on centralcloud service starting 2021-12-13.

3 No user ac-tions necessarySee further recommendations from sectionWorkarounds and MitigationsAdvantage Navigator Software Proxy V6:All versions < to or later versionSee further recommendations from sectionWorkarounds and MitigationsBuilding Operator Discovery Distribution for theConnect X200 Gateway:All versions < to or later further recommendations from sectionWorkarounds and MitigationsBuilding Operator Discovery Distribution for theConnect X300 Gateway:All versions < to or later further recommendations from sectionWorkarounds and MitigationsSSA-661247 siemens 2022 Page 1 of 27 siemens Security Advisory by siemens ProductCERTB uilding Twin - 360 Viewer:All versionsVulnerability CVE-2021 -44228 fixed on centralcloud service.

4 No user actions necessarySee further recommendations from sectionWorkarounds and MitigationsCapital :All versions >= SP1912 < only if Teamcenter integration featureis usedUpdate to SP2204 or later detailed mitigation steps at: further recommendations from sectionWorkarounds and MitigationsCapital :All versions < SP2202 only if Teamcenterintegration feature is usedUpdate to SP2202 or later detailed mitigation steps at: further recommendations from sectionWorkarounds and MitigationsCapital :All versions < SP2202 only if Teamcenterintegration feature is usedUpdate to SP2202 or later detailed mitigation steps at: further recommendations from sectionWorkarounds and MitigationsCerberus , with Advanced Reporting EM installedRemove the JndiLookup class from the instructions are availableat further recommendations from sectionWorkarounds and MitigationsCOMOS:All versions < only if Teamcenter PDIfeature is usedUpdate to and consider the Notes onusing TCCS setup in COMOS Teamcenter Client Communication Sys-tem (TCCS) or block both incoming and outgoingconnections between the system and the further recommendations from sectionWorkarounds and MitigationsSSA-661247 siemens 2022 Page 2 of 27 siemens Security Advisory by siemens ProductCERTcRSP.

5 All versions < to was deployed on all cRSPservices on 2021-12-21; no user actions neces-saryNote: Earlier versions of the product contained avulnerable version of log4j, but no risk for exploita-tion could be further recommendations from sectionWorkarounds and MitigationscRSP Operator Client Starter:All versions < to or later version, as providedvia cRSP or later versionNote: Earlier versions of the product contained avulnerable version of log4j, but no risk for exploita-tion could be further recommendations from sectionWorkarounds and MitigationsDesigo , , , with Advanced ReportingEM installedRemove the JndiLookup class from the instructions are availableat further recommendations from sectionWorkarounds and MitigationsDesigo , with Advanced Reporting or Info Cen-ter EM installedRemove the JndiLookup class from the instructions are availableat further recommendations from sectionWorkarounds and MitigationsE-Car OC Cloud Application.

6 All versions < 2021-12-13 Vulnerability CVE-2021 -44228 fixed on centralcloud service starting 2021-12-13; no user ac-tions necessarySee further recommendations from sectionWorkarounds and MitigationsEnergy detailed remediation and mitigationinformation on the EnergyIP docs portalat: +Security+Advisory+for+Log4 Shell+VulnerabilitySee further recommendations from sectionWorkarounds and , , , detailed remediation and mitigationinformation on the EnergyIP docs portalat: +Security+Advisory+for+Log4 Shell+VulnerabilityNote: EnergyIP and applications arenot directly affected, but CAS further recommendations from sectionWorkarounds and MitigationsSSA-661247 siemens 2022 Page 3 of 27 siemens Security Advisory by siemens ProductCERTE nergyIP Prepay.

7 All versions < affected by CVE-2021 -44228 Update to or later versionSee further recommendations from sectionWorkarounds and MitigationsEnlighted Amaze:All versions < 2021-12-10 Vulnerabilities fixed on central cloud servicesstarting 2021-12-10; no user actions necessaryFor Comfy and Enlighted, see also chapter Addi-tional Information belowSee further recommendations from sectionWorkarounds and MitigationsEnlighted Where:All versions < 2021-12-11 Vulnerabilities fixed on central cloud servicesstarting 2021-12-11; no user actions necessaryFor Comfy and Enlighted, see also chapter Addi-tional Information belowSee further recommendations from sectionWorkarounds and MitigationsGeolus Shape Search V10:All versions >= the JndiLookup class from the detailed remediation and mitigation infor-mation at: further recommendations from sectionWorkarounds and MitigationsGeolus Shape Search V11:All versionsRemove the JndiLookup class from the detailed remediation and mitigation infor-mation at: further recommendations from sectionWorkarounds and MitigationsGMA-Manager:All versions >= < to or later further recommendations from sectionWorkarounds and MitigationsHEEDS Connect.

8 All versionsHEEDS Connect team will contact all im-pacted customers to deploy a new log4j ver-sion. This action will secure your installationagainst Log4 Shell vulnerability. For further infor-mation see: further recommendations from sectionWorkarounds and MitigationsHES UDIS:All versionsSpecific fix versions based on and released and deployed for all affectedprojectsSee further recommendations from sectionWorkarounds and MitigationsSSA-661247 siemens 2022 Page 4 of 27 siemens Security Advisory by siemens ProductCERTI ndustrial Edge Hub:All versions < 2021-12-13 Vulnerabilities fixed on central cloud service start-ing 2021-12-13; no user actions necessarySee further recommendations from sectionWorkarounds and MitigationsIndustrial Edge Management App (IEM-App):All versions < to or later further recommendations from sectionWorkarounds and MitigationsIndustrial Edge Management OS (IEM-OS):All versions < to or later further recommendations from sectionWorkarounds and MitigationsjROS for Spectrum Power 4 SP9 Update to SP9 Security Patch 1 or laterversion.

9 Please contact your local siemens further recommendations from sectionWorkarounds and MitigationsjROS for Spectrum Power 7:V21Q4 Apply the contact your localSiemens further recommendations from sectionWorkarounds and MitigationsMendix Applications:All versionsAlthough the Mendix runtime itself is not vulnera-ble to this exploit, we nevertheless recommend toupgrade log4j-core to the latest available versionif log4j-core is part of your project. This advice isregardless of the JRE/JDK version the app further recommendations from sectionWorkarounds and MitigationsMindSphere App Management Cockpits (Devel-oper& Operator):All versions < 2021-12-16 Vulnerabilities fixed with update on 2021-12-16;no user actions necessarySee further recommendations from sectionWorkarounds and MitigationsMindSphere Asset Manager:All versions < 2021-12-16 Vulnerabilities fixed with update on 2021-12-16.

10 No user actions necessarySee further recommendations from sectionWorkarounds and MitigationsMindsphere Cloud Foundry:All versions < 2021-12-14 Although the Cloud Foundry environment itself isnot vulnerable to this exploit, we nevertheless rec-ommend to upgrade log4j-core to the latest avail-able version if log4j-core is part of your further recommendations from sectionWorkarounds and MitigationsMindsphere Cloud Platform:All versions < 2021-12-11 Vulnerabilities fixed on central cloud service start-ing 2021-12-11; no user actions necessarySee further recommendations from sectionWorkarounds and MitigationsSSA-661247 siemens 2022 Page 5 of 27 siemens Security Advisory by siemens ProductCERTMindSphere IAM (User Management/ Settings):All versions < 2021-12-16 Vulnerabilities fixed with update on 2021-12-16;no user actions necessarySee further recommendations from sectionWorkarounds and MitigationsMindSphere Integrated Data Lake:All versions < 2021-12-16 Vulnerabilities fixed with update on 2021-12-16;no user actions necessarySee further recommendations from sectionWorkarounds and MitigationsMindSphere Notification Service:All versions < 2021-12-16 Vulnerabilities fixed with update on 2021-12-16.