OTPulse
FeedAboutContact

Apache Log4j Vulnerability (CVE-2021-44832) via JDBC Appender - Impact to Siemens Products

Act Now6.6SSA-784507Dec 28, 2021
Attack VectorNetwork
Auth RequiredHigh
ComplexityHigh
User InteractionNone needed
Summary

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) contain a vulnerability that could allow an attacker with permission to modify the logging configuration file to execute arbitrary code when the JDBC Appender is used. This vulnerability is distinct from other JNDI lookup vulnerabilities. Currently, no Siemens products have been identified as vulnerable to CVE-2021-44832.

What this means
What could happen
If a Siemens product is later identified as affected, an attacker with access to modify logging configuration files could execute arbitrary code on the affected device, potentially compromising control system availability and integrity.
Who's at risk
This advisory currently identifies no specific Siemens products as affected. However, any Siemens product that bundles Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding patched versions 2.3.2 and 2.12.4) for logging could be vulnerable if that product uses the JDBC Appender feature. This could include industrial automation products, SCADA systems, or engineering workstations. Organizations should monitor Siemens security updates for clarification on affected equipment.
How it could be exploited
An attacker must first gain permission to modify the Log4j2 configuration file on an affected device. With that access, they can configure the JDBC Appender to execute arbitrary code, which would run with the privileges of the application using Log4j2.
Prerequisites
  • Write access to Log4j2 configuration file
  • Application must be using JDBC Appender feature
  • Siemens product must be running vulnerable Log4j2 version (2.0-beta7 through 2.17.0, excluding 2.3.2 and 2.12.4)
configuration file modification required for exploitationhigh EPSS score (53.6%)no affected products currently identified
Exploitability
High exploit probability (EPSS 53.6%)
Affected products (1)
ProductAffected VersionsFix Status
No product currently identified as affectedNo versionsNo fix yet
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor Siemens security advisories for updates identifying specific affected products
HOTFIXIf a Siemens product is confirmed vulnerable, update or upgrade to a version using Log4j2 2.3.2, 2.12.4, or 2.17.1 and later
Long-term hardening
0/1
HARDENINGRestrict write access to Log4j2 configuration files on any devices running potentially affected Siemens products
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/84bee9a3-5b76-4d63-9a20-c92f38f28231
Apache Log4j Vulnerability (CVE-2021-44832) via JDBC Appender - Impact to Siemens Products | CVSS 6.6 - OTPulse