SSA-397453

Vulnerability from csaf_siemens - Published: 2021-12-20 00:00 - Updated: 2021-12-20 00:00
Summary
SSA-397453: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Energy TraceAlertServerPLUS

Notes

Summary
On 2021-12-09, a vulnerability in Apache Log4j (a logging library used in many Java-based applications) was disclosed, that could allow remote unauthenticated attackers to execute code on vulnerable systems. The vulnerability is tracked as CVE-2021-44228 and is also known as "Log4Shell". On 2021-12-14 an additional denial of service vulnerability (CVE-2021-45046) was published rendering the initial mitigations and fix in version 2.15.0 as incomplete under certain non-default configurations. Log4j versions 2.16.0 and 2.12.2 are supposed to fix both vulnerabilities. On 2021-12-17, CVE-2021-45046 was reclassified with an increased CVSS base score (from 3.7 to 9.0). The potential impact of CVE-2021-45046 now includes - besides denial of service - also information disclosure and local (and potential remote) code execution. Siemens Energy is preparing updates and recommends specific countermeasures for TraceAlertServerPLUS.
General Recommendations
Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design. Siemens Energy strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens Energy strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens Energy strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use
Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.
To clipboard 

{
  "document": {
    "category": "Siemens Security Advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited.",
      "tlp": {
        "label": "WHITE"
      }
    },
    "notes": [
      {
        "category": "summary",
        "text": "On 2021-12-09, a vulnerability in Apache Log4j (a logging library used in many Java-based applications) was disclosed, that could allow remote unauthenticated attackers to execute code on vulnerable systems. The vulnerability is tracked as CVE-2021-44228 and is also known as \"Log4Shell\".\n\nOn 2021-12-14 an additional denial of service vulnerability (CVE-2021-45046) was published rendering the initial mitigations and fix in version 2.15.0 as incomplete under certain non-default configurations. Log4j versions 2.16.0 and 2.12.2 are supposed to fix both vulnerabilities.\n\nOn 2021-12-17, CVE-2021-45046 was reclassified with an increased CVSS base score (from 3.7 to 9.0). The potential impact of CVE-2021-45046 now includes - besides denial of service - also information disclosure and local (and potential remote) code execution.\n\nSiemens Energy is preparing updates and recommends specific countermeasures for TraceAlertServerPLUS.",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid\u0027s reliability can thus be minimized by virtue of the grid design.\n\nSiemens Energy strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens Energy strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment.\n\nAs a general security measure Siemens Energy strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.",
        "title": "General Recommendations"
      },
      {
        "category": "general",
        "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "productcert@siemens.com",
      "name": "Siemens ProductCERT",
      "namespace": "https://www.siemens.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "SSA-397453: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Energy TraceAlertServerPLUS - PDF Version",
        "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
      },
      {
        "category": "self",
        "summary": "SSA-397453: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Energy TraceAlertServerPLUS - TXT Version",
        "url": "https://cert-portal.siemens.com/productcert/txt/ssa-397453.txt"
      },
      {
        "category": "self",
        "summary": "SSA-397453: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Energy TraceAlertServerPLUS - CSAF Version",
        "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-397453.json"
      }
    ],
    "title": "SSA-397453: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Energy TraceAlertServerPLUS",
    "tracking": {
      "current_release_date": "2021-12-20T00:00:00Z",
      "generator": {
        "engine": {
          "name": "Siemens ProductCERT CSAF Generator",
          "version": "1"
        }
      },
      "id": "SSA-397453",
      "initial_release_date": "2021-12-20T00:00:00Z",
      "revision_history": [
        {
          "date": "2021-12-20T00:00:00Z",
          "legacy_version": "1.0",
          "number": "1",
          "summary": "Publication Date"
        }
      ],
      "status": "interim",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "TraceAlertServerPLUS",
                  "product_id": "1"
                }
              }
            ],
            "category": "product_name",
            "name": "TraceAlertServerPLUS"
          }
        ],
        "category": "vendor",
        "name": "Siemens"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-44228",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Apache Log4j V2, versions \u003c 2.15.0 do not protect JNDI features (as used in configuration, log messages, and parameters) against attacker controlled LDAP and other JNDI related endpoints.\n\nAn attacker who can control log messages or log message parameters could execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "references": [
        {
          "summary": "CVE-2021-44228 Mitre 5.0 json",
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-44228.json"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Open TraceAlertServerPLUS.exe with Zip tool to remove file JndiLookup.class in directory org/apache/logging/log4j/core/lookup/.\n\nThis measure mitigates both CVE-2021-44228 and CVE-2021-45046.",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "none_available",
          "details": "Currently no remediation is available",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "mitigation",
          "details": "Review the status of the defense in depth recommendations that apply to your specific deployment and align as needed. Especially the measures on the network layer to prevent accessibility from other network segments",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "mitigation",
          "details": "Restrict physical access to the local networks of the solution",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "mitigation",
          "details": "Ensure that TraceAlertServerPLUS does not run with elevated privileges",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "mitigation",
          "details": "Check file system permissions",
          "product_ids": [
            "1"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "1"
          ]
        }
      ],
      "title": "CVE-2021-44228"
    },
    {
      "cve": "CVE-2021-45046",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The fix to address CVE-2021-44228 was incomplete in certain non-default configurations, when the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, ${ctx:loginId}).\n\nThis could allow attackers with control over Thread Context Map (MDC) input data to craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "references": [
        {
          "summary": "CVE-2021-45046 Mitre 5.0 json",
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-45046.json"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Open TraceAlertServerPLUS.exe with Zip tool to remove file JndiLookup.class in directory org/apache/logging/log4j/core/lookup/.\n\nThis measure mitigates both CVE-2021-44228 and CVE-2021-45046.",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "none_available",
          "details": "Currently no remediation is available",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "mitigation",
          "details": "Review the status of the defense in depth recommendations that apply to your specific deployment and align as needed. Especially the measures on the network layer to prevent accessibility from other network segments",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "mitigation",
          "details": "Restrict physical access to the local networks of the solution",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "mitigation",
          "details": "Ensure that TraceAlertServerPLUS does not run with elevated privileges",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "mitigation",
          "details": "Check file system permissions",
          "product_ids": [
            "1"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "1"
          ]
        }
      ],
      "title": "CVE-2021-45046"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.