Today, (1 day before the 2nd Tuesday tranche of Siemens advisories) Siemens published an advisory discussing the Log4Shell vulnerability in their products. Siemens has provided a preliminary list of affected products. They have fixed their cloud-based products (okay, this may be an argument for having cloud based control systems) and have provided updates for some of the affected products. They have also provided workarounds to mitigate the vulnerabilities.
I expect we will be seeing more Log4Shell advisories from other vendors. I reported briefly on Saturday on early advisories from SonicWall and VMware.
It is disappointing the NCCIC-ICS has not yet published an
advisory for this vulnerability, but they may have been waiting for an advisory
like this from Siemens that provides actual mitigation measures (the SonicWall
and VMware advisories were of the “we are looking at it” type with no
mitigation measures). It will be interesting to see how NCCIC-ICS deals with
this tomorrow.
Posts
No comments:
Post a Comment