Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products

Act Now10SSA-661247Dec 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Apache Log4j vulnerability CVE-2021-44228 ("Log4Shell") and CVE-2021-45046 allow unauthenticated remote code execution via JNDI injection in logging statements. An attacker sends a crafted message to any service using affected Log4j versions; when the message is logged, embedded code is automatically executed. A secondary vulnerability (CVE-2021-45046) initially published as denial-of-service was reclassified to also permit information disclosure and local/remote code execution. Siemens products across multiple divisions (product lifecycle management, process automation, energy, building control, cloud services) are affected. Fixes range from patched versions to no-fix-available status depending on product line.

What this means

What could happen

An unauthenticated attacker can execute arbitrary code remotely on any Siemens device or service running the affected Log4j versions, potentially gaining full control over engineering workstations, automation servers, and cloud services used to manage industrial processes. This could allow an attacker to alter process parameters, disable monitoring, modify historical data, or disrupt operations across energy and manufacturing facilities.

Who's at risk

Any organization running Siemens industrial software is affected, particularly those using Teamcenter (design/lifecycle management), Opcenter (process automation/execution), Industrial Edge (edge computing), MindSphere cloud services, energy management systems (EnergyIP, Spectrum Power, SENTRON), building automation (Desigo CC), or video surveillance (Siveillance). Energy utilities, manufacturing plants, and building operators that rely on these products for real-time monitoring and control are at highest risk.

How it could be exploited

An attacker sends a specially crafted message containing a Log4j JNDI (Java Naming and Directory Interface) lookup string to any network-accessible service that logs user input—such as a web application, API endpoint, or reporting interface. When the vulnerable Log4j library processes this message for logging, it automatically executes the embedded code without requiring authentication. The attacker can host malicious Java objects on an external server and use this mechanism to download and run arbitrary code on the target system.

Prerequisites

Network access to any service running affected Siemens products (often web-facing or accessible from engineering networks)
The targeted service must pass user-controlled data to Log4j for logging
No credentials required

Remotely exploitable without authenticationActively exploited in the wild (KEV)Extremely high exploit probability (94.4% EPSS)Affects safety and control systemsMany products have no patch availableZero complexity attack—message crafting is trivial

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (140)

71 with fix69 pending

ProductAffected VersionsFix Status

Opcenter EX CP Process Automation Control≥ V17.2.3 < V18.118.1

Teamcenter Reporting and Analytics V11≥ V11.3No fix yet

Teamcenter Reporting and Analytics V12.2< V12.2.812.2.8

Teamcenter Reporting and Analytics V12.3< V12.3.1112.3.11

Teamcenter Reporting and Analytics V12.4< V12.4.112.4.1

Remediation & Mitigation

0/7

Do now

0/5

cRSP

HOTFIXFor cloud-based Siemens services (MindSphere, cRSP, Cloud Foundry, etc.): Verify patches were applied by Siemens between 2021-12-11 and 2021-12-23; no local action required

Mendix Applications

HOTFIXFor Mendix-based applications: If Log4j is included as a dependency in custom or packaged Mendix applications, upgrade the log4j-core library to the latest version independent of fix status

All products

HOTFIXFor on-premise Siemens products with available fixes: Update to the specified patched version immediately (e.g., Opcenter EX to v18.1, Teamcenter to appropriate version, Industrial Edge Management to v1.4.11)

WORKAROUNDFor products with no fix available: Isolate affected systems from untrusted networks using firewall rules; restrict access to only authorized engineering workstations

WORKAROUNDFor products with no fix available: Disable or restrict access to any exposed APIs, web interfaces, or reporting dashboards that may accept external input

Long-term hardening

0/2

HARDENINGSegment industrial networks so that office systems, cloud connectors, and plant floor control systems are isolated from each other; prevent direct internet routes to automation devices

HARDENINGDeploy network monitoring to detect outbound JNDI and RMI connection attempts from Siemens systems, which would indicate exploitation attempts

CVEs (2)

CVE-2021-44228 CVE-2021-45046

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a778466d-cd3a-437f-a4be-1e8844f512ea