More on the Siemens response to Log4Shell vulnerabilities, watching as a microcosm of Log4Shell response. Yesterday Siemens updated their original advisory again.
Siemens published an update for their original Log4Shell advisory that was originally published on December 12th, 2021 and most recently updated on December 17th, 2021. The new information includes:
• Revising severity of
CVE-2021-45046 and removed ineffective mitigation measures,
• Adding Comfy and Enlighted to the
list of affected products,
• Adding individual Mindsphere
applications,
• Removing Siveillance Viewpoint
because it is not affected, and
• Adding a statement regarding Siemens Mobility solutions
Commentary
I am still publishing these updates for the Siemens advisories outside of my normal advisory reporting process because, in my opinion, the Siemens response continues to mirror the problems that the general ICS community is having with responding to this vulnerability. While Siemens has more products to deal with than anyone else in the community, they also have a larger, more experienced (from the standpoint of dealing with vulnerability updates) staff, with which to deal with the problem.
And remember, Siemens has yet to address the third log4j
vulnerability, CVE-2021-4104.
Posts
No comments:
Post a Comment