Friday, December 17, 2021

Siemens Updates Log4Shell Advisory Again – 4-17-21

More on the Siemens response to Log4Shell vulnerabilities, watching as a microcosm of Log4Shell response. Yesterday Siemens published a new advisory and today they updated their original advisory again.

New Advisory

Siemens published a new advisory discussing the Log4Shell vulnerabilities in their SPPA-T3000 SeS3000 Security Server. It lists two of the Log4Shell vulnerabilities:

• Deserialization of untrusted data (original) - CVE-2021-44228 (exploits here and here),

• Deserialization of untrusted data - CVE-2021-45046

Siemens is currently providing generic workarounds pending development of mitigation measures.


Siemens published an update for their original Log4Shell advisory that was originally published on December 12th, 2021 and most recently updated on December 16th, 2021. The new information includes:

• Adding additional affected products, remediation or mitigation measures, and products under investigation,

• Removing LOGO! Soft Comfort from the list of affected products,

• Expanding the Teamcenter product listing, and

• Updating the information for Desigo CC and Cerberus DMS.

NOTE 1: Siemens is still not reporting the new CVE-2021-4104 that has been mentioned by Adolus. Nor have they mentioned active exploitation of the vulnerabilities they are reporting (I have not seen any specific mentions of exploits in Siemens products).

NOTE 2: NCCIC-ICS has still not published an ICS related advisory for these vulnerabilities. They also did not cover the original Siemens advisory in their list of new advisories published yesterday.

No comments:

/* Use this with templates/template-twocol.html */