Apache Log4j Denial of Service Vulnerability (CVE-2021-45105) - Impact to Siemens Products

Act NowCVSS 7.5SSA-501673Dec 19, 2021

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 contain a denial of service vulnerability (CVE-2021-45105) that allows attackers to cause a denial of service condition. This advisory informs about potential impact to Siemens products. Currently, no Siemens products have been identified as vulnerable. Siemens is investigating which products are affected and will update this advisory as information becomes available. This vulnerability is distinct from the JNDI lookup vulnerabilities documented in SSA-661247.

What this means

What could happen

This advisory addresses a denial of service vulnerability in Apache Log4j 2.0–2.16.0 that could affect Siemens products; however, no Siemens products have been identified as vulnerable at this time.

Who's at risk

Water utilities and municipal electric facilities using Siemens automation, SCADA, or monitoring software should monitor this advisory. Specific equipment types cannot be identified until Siemens publishes which products are affected; Log4j is commonly used in Java-based applications, supervisory software, and engineering tools.

How it could be exploited

An attacker with network access to an affected Siemens product running a vulnerable version of Log4j could send specially crafted requests to trigger a denial of service condition, potentially interrupting monitoring, data collection, or control functions depending on which product is eventually identified as affected.

Prerequisites

Network access to the affected Siemens product
The product must be running Apache Log4j version 2.0-alpha1 through 2.16.0
No authentication required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (70.4%)no patch available (advisory pending product identification)

Exploitability

Likely to be exploited — EPSS score 70.4%

Public Proof-of-Concept (PoC) on GitHub (9 repositories)

Affected products (1)

ProductAffected VersionsFix Status

No product currently identified as affectedNo versionsNo fix yet

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGMonitor Siemens security advisories (SSA-501673) and CISA alerts for updates identifying specific affected Siemens products

WORKAROUNDIf your Siemens products are confirmed vulnerable, apply network segmentation and firewall rules to restrict untrusted traffic to affected devices as a compensating control

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXWhen specific products are identified as affected, update to patched versions or mitigations provided by Siemens

CVEs (1)

CVE-2021-45105

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/99c583e7-a4ea-479e-80b5-c4d7f59a31c2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.