OTPulse

Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products

Act NowCVSS 10SSA-661247Dec 13, 2021
SiemensEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Apache Log4j vulnerability CVE-2021-44228 ("Log4Shell") and CVE-2021-45046 allow unauthenticated remote code execution via JNDI injection in logging statements. An attacker sends a crafted message to any service using affected Log4j versions; when the message is logged, embedded code is automatically executed. A secondary vulnerability (CVE-2021-45046) initially published as denial-of-service was reclassified to also permit information disclosure and local/remote code execution. Siemens products across multiple divisions (product lifecycle management, process automation, energy, building control, cloud services) are affected. Fixes range from patched versions to no-fix-available status depending on product line.

What this means
What could happen
An unauthenticated attacker can execute arbitrary code remotely on any Siemens device or service running the affected Log4j versions, potentially gaining full control over engineering workstations, automation servers, and cloud services used to manage industrial processes. This could allow an attacker to alter process parameters, disable monitoring, modify historical data, or disrupt operations across energy and manufacturing facilities.
Who's at risk
Any organization running Siemens industrial software is affected, particularly those using Teamcenter (design/lifecycle management), Opcenter (process automation/execution), Industrial Edge (edge computing), MindSphere cloud services, energy management systems (EnergyIP, Spectrum Power, SENTRON), building automation (Desigo CC), or video surveillance (Siveillance). Energy utilities, manufacturing plants, and building operators that rely on these products for real-time monitoring and control are at highest risk.
How it could be exploited
An attacker sends a specially crafted message containing a Log4j JNDI (Java Naming and Directory Interface) lookup string to any network-accessible service that logs user input—such as a web application, API endpoint, or reporting interface. When the vulnerable Log4j library processes this message for logging, it automatically executes the embedded code without requiring authentication. The attacker can host malicious Java objects on an external server and use this mechanism to download and run arbitrary code on the target system.
Prerequisites
  • Network access to any service running affected Siemens products (often web-facing or accessible from engineering networks)
  • The targeted service must pass user-controlled data to Log4j for logging
  • No credentials required
Remotely exploitable without authenticationActively exploited in the wild (KEV)Extremely high exploit probability (94.4% EPSS)Affects safety and control systemsMany products have no patch availableZero complexity attack—message crafting is trivial
Exploitability
Actively exploited — confirmed by CISA KEV
Metasploit module available — weaponized exploitView module ↗
Public Proof-of-Concept (PoC) on GitHub (10 repositories)
Affected products (140)
71 with fix69 pending
ProductAffected VersionsFix Status
Opcenter EX CP Process Automation Control≥ V17.2.3 < V18.118.1
Teamcenter Reporting and Analytics V11≥ V11.3No fix yet
Teamcenter Reporting and Analytics V12.2< V12.2.812.2.8
Teamcenter Reporting and Analytics V12.3< V12.3.1112.3.11
Teamcenter Reporting and Analytics V12.4< V12.4.112.4.1
Remediation & Mitigation
0/7
Do now
0/5
cRSP
HOTFIXFor cloud-based Siemens services (MindSphere, cRSP, Cloud Foundry, etc.): Verify patches were applied by Siemens between 2021-12-11 and 2021-12-23; no local action required
Mendix Applications
HOTFIXFor Mendix-based applications: If Log4j is included as a dependency in custom or packaged Mendix applications, upgrade the log4j-core library to the latest version independent of fix status
All products
HOTFIXFor on-premise Siemens products with available fixes: Update to the specified patched version immediately (e.g., Opcenter EX to v18.1, Teamcenter to appropriate version, Industrial Edge Management to v1.4.11)
WORKAROUNDFor products with no fix available: Isolate affected systems from untrusted networks using firewall rules; restrict access to only authorized engineering workstations
WORKAROUNDFor products with no fix available: Disable or restrict access to any exposed APIs, web interfaces, or reporting dashboards that may accept external input
Long-term hardening
0/2
HARDENINGSegment industrial networks so that office systems, cloud connectors, and plant floor control systems are isolated from each other; prevent direct internet routes to automation devices
HARDENINGDeploy network monitoring to detect outbound JNDI and RMI connection attempts from Siemens systems, which would indicate exploitation attempts
View full Siemens ProductCERT advisory
API: /api/v1/advisories/a778466d-cd3a-437f-a4be-1e8844f512ea

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products | CVSS 10 - OTPulse