Public ICS Disclosure – Log4Shell – Week of 12-18-21
This is part 2 of this week’s Public ICS Disclosure post, looking at Log4Shell advisories in the ICS world. I am continuing to use the same format that I used last week and I am reporting on all of the advisories that I know about, even if they have not changed this week. The new/updated advisories are marked with a ‘•’. There are 80 advisories in this week’s list.
Behind Registration Wall
PCVue Solutions published an advisory.
Not Affected
Braun published an advisory reporting that none of their products are affected. Medical device vendor.
Braun (USA) published a statement reporting that none of their products are affected. Medical device vendor.
BR Automation published an advisory reporting that none of their products are affected.
Carestream published an advisory reporting that none of their products are affected. Medical device vendor.
Draeger published an advisory that none of their products are affected. Medical device vendor.
DrayTek published an advisory reporting that none of their products are affected.
CODESYS published a notice reporting that none of their products are affected.
HMS published an advisory reporting that their Argos and HMS Hub web services are not affected.
HMS published an advisory reporting that their Ixxat products are not affected.
HMS published an advisory for their WEBfactory product line. Updated to not affected.
Meinberg published an advisory. Updated to report that none of their products are affected.
• Mobile Industrial Robots published an advisory reporting that none of their products are affected.
• Sprecher published an advisory reporting that none of their products are affected. They acknowledge that some alerting software reports some of their product as affected, but maintain that those results are false-positives. They are working on an updated version that corrects the problem.
Vendors Still Looking at the Vulnerability
Baxter published an advisory. Medical device vendor.
BD published an advisory. Provides list of unaffected products. Medical device vendor.
• Boston Scientific published an advisory. Provides a list of unaffected products. Medical device vendor.
• Carrier published an advisory.
Emerson published an advisory. Provides lengthy list of unaffected products.
GE published an advisory. It provides a list of GE Digital products that are not affected by Log4Shell, but evaluations on continuing on GE Digital Plant Manufacturing product family.
GE Healthcare published a statement that they are looking at the problem. Medical device vendor.
Genetec published an advisory. Provides list of unaffected products. Still evaluating ATM Diebold plugin.
• Johnson Controls published an advisory. Added list of unaffected products. Updated lists of affected products
Medtronic published an advisory. No specific products listed either way. Medical device vendor.
Moxa published an advisory. Provides link to list of not-affected products.
QNAP published an advisory. They are still waiting on word from 3rd party suppliers for the status of other products. Added QES to list of not-affected products.
Vendors With Affected Product Lists
Aruba published an update. A list of unaffected products is provided.
Eaton published an advisory that reports that they have directly contacted affected customers with affected products.
• Hitachi Energy published a generic Log4Shell advisory. The advisory provides links to affected product specific advisories.
• HMS published an advisory for their Anybus product line. They provide lists of affected and unaffected products, but other products are still being evaluated.
• HPE published an advisory. Affected products include some version of their XP Performance Advisory, SimpliVity, 3Par, SANnav, and Intelligent Management Center. Updated list of affected products.
Phenix Contact published a statement of the Log4Shell vulnerabilities. List of unaffected products. Working on mitigation measures for cloud products.
Philips published an advisory. Contains list of probably affected products. Medical device vendor.
SonicWall published an update for their advisory was originally published on December 10th, 202.. They updated the lists of affected and unaffected products.
Vendors With Mitigation Measures
ABB published an advisory. Reports that their ABB Remote Access Platform (RAP) is fixed.
• Adaptec published an advisory for their Microchip products. They provide generic workarounds pending development of a new version.
Aruba published an advisory for their Silver Peak product. Mitigation measures are available.
• Boston Scientific published a separate advisory for their Latitude product line. List LATITUDE Link™ as being affected and provides patch. Medical device vendor. Updated 12-20-21.
• Bosch published an advisory for their PRAESENSA Advanced Public Address Server (PRA-APAS). The new version does not address CVE-2021-45105, that work is ongoing.
• Bosch published an advisory for their Rexroth products. Bosch has a new version that mitigates all three vulnerabilities.
• Broadcom published an advisory. Affected products include some versions of Brocade SANnav. Broadcom provides scripts for removing the JndiLookup class. A list of unaffected products is provided.
Dell published an advisory for their Dell EMC Ruckus Wireless Controllers. They provide a link to updates for some of the affected products.
Dell published an advisory for their Dell Wyse Management Suite. They provide an update that mitigates the vulnerability. NOTE: Dell has advisories for other non-ICS related products as well.
Fujitsu published an advisory for a wide range of products. Provides lists of affected, unaffected, and under investigation products. Provides new versions for some of the affected products.
Hitachi Energy published an advisory for their UNEM Products. They provide a new version for some of the affected products.
Hitachi Energy published an advisory for their FOXMAN-UN Products. They provide a new version for some of the affected products.
Hitachi Energy published an advisory for their Lumada Enterprise Asset Manager & Field Service Manager (EAMFSM) Products. They provide generic mitigation measures.
Hitachi Energy published an advisory for their y Counterparty Settlement and Billing (CSB) Product. They provide generic mitigation measures with a patch expected December 22nd.
Hitachi Energy published an advisory for their Network Manager Advanced Distributed Management System (NM-ADMS) Product. They provide generic mitigation measures.
Hitachi Energy published an advisory for their MMS Internal Facing Subcomponent. They report that a patch has been delivered.
Hitachi Energy published an advisory for their Lumada Asset Performance Management (APM) Product. They report that the Lumada APM Software-as-a-Service has been fixed. Generic mitigation measures are provided for remaining affected products.
Hitachi Energy published an advisory for their nMarket Global I-SEM. They provide a new version for both the SAAS and onsite versions.
Hitachi Energy published an advisory for their Network Manager SCADA/EMS Product. They provide generic mitigation measures.
Hitachi Energy published an advisory for their Axis Product. They report the SAAS product has been fixed.
• Hitachi Energy published an advisory for their nMarket product. Hitachi Energy provides generic workarounds pending development of a new version in March.
• Hitachi Energy published an advisory for their nMarket Global products. The SAAS versions have been fixed. Hitachi Energy provides generic workarounds pending development of a new version in March.
• Hitachi Energy published an advisory for their e-Mesh Monitor. This cloud-based product has been fixed.
• Hitachi Energy published an advisory for their RelCare. Both the cloud-based and on-site products have been patched.
• HMS published an advisory for their EWON products. HMS has a new version for their eCatcher product and has fixed their Talk2M cloud infrastructure. Updated list of unaffected products.
HMS published an advisory for their Intesis product. They report the SAAS products are fixed.
HPE published an advisory for their HPE Service Director product. They have a new version that mitigates the vulnerabilities.
HPE published an advisory for their StoreServ Management Console. They have a new version that mitigates the vulnerabilities.
• HPE published an advisory for their Remote SIM Provisioning Manager (RSPM). They have a new version that mitigates the vulnerabilities.
• HPE published an advisory for their Dynamic SIM Provisioning (DSP). They have a new version that mitigates the vulnerabilities.
• HPE published an advisory for their 3PAR Service Processors. They have a new version that mitigates the vulnerability.
• HPE published an advisory for their Trueview Inventory Software Series. They have a new version that mitigates the vulnerabilities.
• HPE published an advisory for their Real Time Management System (RTMS). They have a new version that mitigates the vulnerabilities.
• HPE published an advisory for their enhanced Interactive Unified Mediation (eIUM). They have a new version that mitigates the vulnerabilities.
• HPE published an advisory for their Edge Infrastructure Automation. They have a new version that mitigates the vulnerabilities.
Prosys OPC published a blog post discussing the Log4Shell vulnerabilities. Provides list of affected and unaffected products. Lists mitigation measures for SDK product.
Rockwell published an advisory. Rockwell identified a preliminary list of affected products and reports that they have all already had mitigation measures applied. Updated affected product list and affected versions.
Ruckus published an update. Ruckus provides new versions for some of the affected products and expected release dates for many of the remainder.
• Schneider published an advisory. Schneider provides new versions that use the 2.16 version of Log4j.
Sick published an advisory. Sick has a new version that mitigates the vulnerability in the affected products.
Spacelabs published an advisory. Provides list of unaffected products. Review on cloud product and has fixed a second cloud product.
• VMware published an update. More new versions available for more of the affected products.
WIBU published an advisory. WIBU lists two affected products and has new versions for each.
• WIBU published an advisory for their Codemeter products. They have new versions that mitigate the vulnerabilities. This appears to be a duplicate of the earlier advisory.
• Wind River published an update. Wind River lists one affected product and has a new version to mitigate the vulnerabilities. Products not affected by CVE-2021-45015.
• Xylem published an advisory. Provides list of affected products and reports that patching is complete on two of those products. Updated for CVE-2021-45046 and CVE-2021-45105.
NOTE: Because of the importance of this topic, this is being published to both paid and free subscribers.