Monday, December 13, 2021

Siemens Publishes Log4Shell Advisory

Today, (1 day before the 2nd Tuesday tranche of Siemens advisories) Siemens published an advisory discussing the Log4Shell vulnerability in their products. Siemens has provided a preliminary list of affected products. They have fixed their cloud-based products (okay, this may be an argument for having cloud based control systems) and have provided updates for some of the affected products. They have also provided workarounds to mitigate the vulnerabilities.

I expect we will be seeing more Log4Shell advisories from other vendors. I reported briefly on Saturday on early advisories from SonicWall and VMware.

It is disappointing the NCCIC-ICS has not yet published an advisory for this vulnerability, but they may have been waiting for an advisory like this from Siemens that provides actual mitigation measures (the SonicWall and VMware advisories were of the “we are looking at it” type with no mitigation measures). It will be interesting to see how NCCIC-ICS deals with this tomorrow.

No comments:

/* Use this with templates/template-twocol.html */