SSA-479842 V1.1 (Last Update: 2021-12-23): Apache Log4j Vulnerabilities - Impact to Siemens Energy Sensformer / Sensgear (Platform, Basic and Advanced)

Risk Summary

<p>On 2021-12-09, a vulnerability in Apache Log4j (a logging tool used in many Java-based applications) was disclosed, that could allow remote unauthenticated attackers to execute code on vulnerable systems. The vulnerability is tracked as CVE-2021-44228 and is also known as “Log4Shell”.</p> <p>On 2021-12-14 an additional denial of service vulnerability (CVE-2021-45046) was published rendering the initial mitigations and fix in version 2.15.0 as incomplete under certain non-default configurations. Log4j versions 2.16.0 and 2.12.2 are supposed to fix both vulnerabilities.</p> <p>On 2021-12-17, CVE-2021-45046 was reclassified with an increased CVSS base score (from 3.7 to 9.0). The potential impact of CVE-2021-45046 now includes - besides denial of service - also information disclosure and local (and potential remote) code execution. Furthermore, one additional denial of service vulnerability, CVE-2021-45105, was disclosed.</p> <p>The Siemens Energy Sensformer / Sensgear cloud service wa

CVEs (3)

Remediations

• Refer to Siemens ProductCERT advisory for patch and remediation guidance.

Affected Vendors

Affected Products (1)