More on the Siemens response to Log4Shell vulnerabilities, watching as a microcosm of Log4Shell response. Yesterday Siemens published a new advisory and today they updated their original advisory again.
New Advisory
Siemens published a new advisory discussing the Log4Shell vulnerabilities in their SPPA-T3000 SeS3000 Security Server. It lists two of the Log4Shell vulnerabilities:
• Deserialization of untrusted data
(original) - CVE-2021-44228
(exploits here
and here),
• Deserialization of untrusted data - CVE-2021-45046
Siemens is currently providing generic workarounds pending development of mitigation measures.
Update
Siemens published an update for their original Log4Shell advisory that was originally published on December 12th, 2021 and most recently updated on December 16th, 2021. The new information includes:
• Adding additional affected
products, remediation or mitigation measures, and products under investigation,
• Removing LOGO! Soft Comfort from
the list of affected products,
• Expanding the Teamcenter product
listing, and
• Updating the information for Desigo CC and Cerberus DMS.
NOTE 1: Siemens is still not reporting the new CVE-2021-4104 that has been mentioned by Adolus. Nor have they mentioned active exploitation of the vulnerabilities they are reporting (I have not seen any specific mentions of exploits in Siemens products).
NOTE 2: NCCIC-ICS has still not published an ICS related
advisory for these vulnerabilities. They also did not cover the original
Siemens advisory in their list of new advisories published
yesterday.
Posts
No comments:
Post a Comment