← Back to home
SIEMENS-SSA-397453  ·  Published 2021-12-20  ·  View on Siemens ProductCERT ↗

SSA-397453 V1.0: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Energy TraceAlertServerPLUS

CVSS 3.7 LOW CISA KEV — Known Exploited

Risk Summary

<p>On 2021-12-09, a vulnerability in Apache Log4j (a logging library used in many Java-based applications) was disclosed, that could allow remote unauthenticated attackers to execute code on vulnerable systems. The vulnerability is tracked as CVE-2021-44228 and is also known as “Log4Shell”.</p> <p>On 2021-12-14 an additional denial of service vulnerability (CVE-2021-45046) was published rendering the initial mitigations and fix in version 2.15.0 as incomplete under certain non-default configurations. Log4j versions 2.16.0 and 2.12.2 are supposed to fix both vulnerabilities.</p> <p>On 2021-12-17, CVE-2021-45046 was reclassified with an increased CVSS base score (from 3.7 to 9.0). The potential impact of CVE-2021-45046 now includes - besides denial of service - also information disclosure and local (and potential remote) code execution.</p> <p>Siemens Energy is preparing updates and recommends specific countermeasures for TraceAlertServerPLUS.</p>

CVEs (2)

Remediations

  • Refer to Siemens ProductCERT advisory for patch and remediation guidance.

Affected Vendors

Siemens

Affected Products (1)

Siemens · SSA-397453 V1.0: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Energy TraceAlertServerPLUS See advisory

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more