Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Energy TraceAlertServerPLUS

Act NowCVSS 10SSA-397453Dec 20, 2021

SiemensEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CVE-2021-44228 (Log4Shell) is a critical vulnerability in Apache Log4j that allows remote unauthenticated code execution. CVE-2021-45046, initially published as a denial of service flaw, was later reclassified to also include information disclosure and remote code execution with increased severity (CVSS 9.0). All versions of Siemens Energy TraceAlertServerPLUS are vulnerable. The vulnerability exists because Log4j does not validate malicious input before processing it through its logging mechanism. Siemens Energy is preparing updates. Until patches are available, network isolation and redundant protection schemes are essential.

What this means

What could happen

An attacker could execute arbitrary code on TraceAlertServerPLUS servers without authentication, potentially allowing them to modify power system monitoring and alerting functions, disrupt grid visibility, or cause false alarms.

Who's at risk

Operators of transmission system operator (TSO) and distribution system operator (DSO) power grids worldwide that use Siemens Energy TraceAlertServerPLUS for critical monitoring and alerting functions. This includes any utility relying on TraceAlertServerPLUS for real-time visibility into power system events or secondary protection scheme supervision.

How it could be exploited

An attacker on the network sends a specially crafted message containing malicious Java code to the Log4j logging interface on TraceAlertServerPLUS. The vulnerable Log4j library processes the message without validating its contents, automatically executing the embedded code with the application's privileges.

Prerequisites

Network access to TraceAlertServerPLUS on the port(s) where it listens for log messages or application input
No valid credentials required

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)EPSS 94.4% (extremely high exploit probability)no patch available for all versionsaffects power grid monitoring and protection systems

Exploitability

Actively exploited — confirmed by CISA KEV

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (1)

ProductAffected VersionsFix Status

TraceAlertServerPLUSAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXApply security updates from Siemens Energy using provided tooling as soon as available; validate updates in a test environment before production deployment

HARDENINGReview and verify that multi-level redundant secondary protection schemes are active on your power system (as required by regulations); ensure backup protection logic will function independently if TraceAlertServerPLUS is compromised

WORKAROUNDRestrict network access to TraceAlertServerPLUS using firewall rules to only authorized monitoring and management workstations; implement network segmentation so the server is not directly reachable from untrusted networks

Mitigations - no patch available

0/1

TraceAlertServerPLUS has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGConfigure TraceAlertServerPLUS according to Siemens operational guidelines for protected IT environments; isolate the server on a secure network segment with appropriate VPN access controls

CVEs (2)

CVE-2021-44228 CVE-2021-45046

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4b9d55a4-5007-48ac-b9e6-975a5ba48db3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.