Saturday, December 18, 2021

Siemens Updates Log4Shell Advisory Again – 4-18-21

More on the Siemens response to Log4Shell vulnerabilities, watching as a microcosm of Log4Shell response. Yesterday Siemens updated their original advisory again.

Siemens published an update for their original Log4Shell advisory that was originally published on December 12th, 2021 and most recently updated on December 17th, 2021. The new information includes:

• Revising severity of CVE-2021-45046 and removed ineffective mitigation measures,

• Adding Comfy and Enlighted to the list of affected products,

• Adding individual Mindsphere applications,

• Removing Siveillance Viewpoint because it is not affected, and

• Adding a statement regarding Siemens Mobility solutions


I am still publishing these updates for the Siemens advisories outside of my normal advisory reporting process because, in my opinion, the Siemens response continues to mirror the problems that the general ICS community is having with responding to this vulnerability. While Siemens has more products to deal with than anyone else in the community, they also have a larger, more experienced (from the standpoint of dealing with vulnerability updates) staff, with which to deal with the problem.

And remember, Siemens has yet to address the third log4j vulnerability, CVE-2021-4104.

No comments:

/* Use this with templates/template-twocol.html */