Public ICS Disclosure – Log4Shell – Week of 1-1-22
This is part 2 of this week’s Public ICS Disclosure post, looking at Log4Shell advisories in the ICS world. I am reporting on all of the advisories that I know about, even if they have not changed this week. The new/updated advisories are marked with a ‘•’. There are 99 advisories in this week’s list, up from 91 last week.
NOTE: Thanks to Rob Hulsebos of Forescout for providing links to new advisories that I had not previously reported.
Behind Registration Wall
PCVue Solutions published an advisory.
Not Affected
Braun published an advisory reporting that none of their products are affected. Medical device vendor.
Braun (USA) published a statement reporting that none of their products are affected. Medical device vendor.
BR Automation published an advisory reporting that none of their products are affected.
Carestream published an advisory reporting that none of their products are affected. Medical device vendor.
Draeger published an advisory that none of their products are affected. Medical device vendor.
DrayTek published an advisory reporting that none of their products are affected.
CODESYS published a notice reporting that none of their products are affected.
• Flexera published an advisory reporting that FlexNet Publisher is not affected.
HMS published an advisory reporting that their Argos and HMS Hub web services are not affected.
HMS published an advisory reporting that their Ixxat products are not affected.
HMS published an advisory for their WEBfactory product line. Updated to not affected.
Meinberg published an advisory. Updated to report that none of their products are affected.
Mobile Industrial Robots published an advisory reporting that none of their products are affected.
Sprecher published an advisory reporting that none of their products are affected. They acknowledge that some alerting software reports some of their product as affected, but maintain that those results are false-positives. They are working on an updated version that corrects that problem.
• Westermo published an advisory reporting that ELTEC products running OpenWRT firmware are not affected by this vulnerability.
• Westermo published an advisory reporting that Westermo products from the BRD/MRD-series are not
affected by this vulnerability.
• Westermo published an advisory reporting that Westermo Ibex products running SW6 firmware
are not affected by this vulnerability.
• Westermo published an advisory reporting that Westermo WeOS products are not affected by this
vulnerability.
Vendors Still Looking at the Vulnerability
• Axis published an advisory. Provides list of affected, unaffected and still under review products.
BD published an advisory. Provides list of unaffected products. Medical device vendor.
• Boston Scientific published an advisory. Updated list of unaffected products. Medical device vendor.
Carrier published an advisory.
Dell published a generic advisory. Describes four log4j vulnerabilities with links to source information.
Emerson published an advisory. Provides lengthy list of unaffected products.
GE published an advisory. It provides a list of GE Digital products that are not affected by Log4Shell, but evaluations are continuing on GE Digital Plant Manufacturing product family.
GE Healthcare published a statement that they are looking at the problem. Medical device vendor.
Genetec published an advisory. Provides list of unaffected products. Still evaluating ATM Diebold plugin.
Hillrom published an advisory. Medical device vendor.
Hitachi published an advisory. Provides a list of affected products.
Medtronic published an advisory. No specific products listed either way. Medical device vendor.
Moxa published an advisory. Provides link to list of not-affected products.
Siemens published an advisory for CVE-2021-45105.
Siemens published an advisory for CVE-2021-44832.
Vendors With Affected Product Lists
Aruba published an update. A list of unaffected products is provided.
• Dell published a generic advisory (44228). Updated list of affected products with links to product specific advisories.
Eaton published an advisory that reports that they have directly contacted affected customers with affected products.
Hitachi Energy published a generic Log4Shell advisory. The advisory provides links to affected product specific advisories.
HMS published an advisory for their Anybus product line. Still evaluating some products.
• HPE published an advisory. Updated affected products and mitigation measure links.
Philips published an advisory. Contains list of probably affected products. Medical device vendor.
QNAP published an advisory. Contains list of not affected products.
SonicWall published an advisory. Contains lists of affected and unaffected products.
Vendors With Mitigation Measures
ABB published an advisory. Added information related to CVE-2021-44832
ABB published a separate advisory. Reports that their ABB Remote Access Platform (RAP) is fixed.
Adaptec published an advisory for their Microchip products. They provide generic workarounds pending development of a new version.
Aruba published an advisory for their Silver Peak product. Mitigation measures are available.
Baxter published an advisory. Reports that all affected products have been fixed. Provided link to Hillrom products.
Boston Scientific published a separate advisory for their Latitude product line. List LATITUDE Link™ as being affected and provides patch. Medical device vendor.
Bosch published an advisory for their PRAESENSA Advanced Public Address Server (PRA-APAS).
Bosch published an advisory for their Rexroth products.
Broadcom published an advisory. Affected products include some versions of Brocade SANnav. Broadcom provides scripts for removing the JndiLookup class. A list of unaffected products is provided.
Dell published an advisory for their Dell EMC Ruckus Wireless Controllers.
• Dell published an advisory for their Dell Wyse Management Suite. Updated affected product list and mitigation measures.
Fujitsu published an advisory for a wide range of products.
Hitachi Energy published an advisory for their UNEM Products.
Hitachi Energy published an advisory for their FOXMAN-UN Products.
Hitachi Energy published an advisory for their Lumada Enterprise Asset Manager & Field Service Manager (EAMFSM) Products. They provide generic mitigation measures.
Hitachi Energy published an advisory for their y Counterparty Settlement and Billing (CSB) Product.
Hitachi Energy published an advisory for their Network Manager Advanced Distributed Management System (NM-ADMS) Product. They provide generic mitigation measures.
Hitachi Energy published an advisory for their MMS Internal Facing Subcomponent.
Hitachi Energy published an advisory for their Lumada Asset Performance Management (APM) Product. They report that the Lumada APM Software-as-a-Service has been fixed. Generic mitigation measures are provided for remaining affected products.
Hitachi Energy published an advisory for their nMarket Global I-SEM.
Hitachi Energy published an advisory for their Network Manager SCADA/EMS Product. They provide generic mitigation measures.
Hitachi Energy published an advisory for their Axis Product.
Hitachi Energy published an advisory for their nMarket product. Hitachi Energy provides generic workarounds pending development of a new version in March.
Hitachi Energy published an advisory for their nMarket Global products. The SAAS versions have been fixed. Hitachi Energy provides generic workarounds pending development of a new version in March.
Hitachi Energy published an advisory for their e-Mesh Monitor.
Hitachi Energy published an advisory for their RelCare.
HMS published an advisory for their EWON products
HMS published an advisory for their Intesis product.
HPE published an advisory for their HPE Service Director product.
• HPE published an advisory for their StoreServ Management Console. Added information for new Log4j vulnerabilities.
HPE published an advisory for their Remote SIM Provisioning Manager (RSPM).
HPE published an advisory for their Dynamic SIM Provisioning (DSP).
• HPE published an advisory for their 3PAR Service Processors. Added information for new Log4j vulnerabilities.
HPE published an advisory for their Trueview Inventory Software Series.
HPE published an advisory for their Real Time Management System (RTMS).
HPE published an advisory for their enhanced Interactive Unified Mediation (eIUM
HPE published an advisory for their Edge Infrastructure Automation.
• Johnson Controls published an advisory. Moved to mitigation measures list. Updated unaffected products.
• PaloAlto Networks published an advisory.
• Phenix Contact published an advisory. Moved to mitigation measures list.
Prosys OPC published a blog post discussing the Log4Shell vulnerabilities. Provides list of affected and unaffected products. Lists mitigation measures for SDK product.
QNAP published an advisory. Provides generic mitigation measures for third-party applications.
Rockwell published an advisory.
Ruckus published an update. Ruckus provides new versions for some of the affected products and expected release dates for many of the remainder.
Schneider published an advisory. Adds mention of CVE-2021-44832 and updates mitigation measures.
Sick published an advisory.
Siemens published an advisory for SPPA-T3000 .
Siemens published an advisory for Siemens Energy TraceAlertServerPLUS.
Siemens published an advisory for Siemens Energy Sensformer / Sensgear.
Siemens published an advisory for Log4Shell impact.
Spacelabs published an advisory. Provides list of unaffected products. Review on cloud product and has fixed a second cloud product.
VMware published an update.
• WAGO – CERT-VDE published an advisory for the WAGO Smart Script product.
WIBU published an advisory.
WIBU published an advisory for their Codemeter products.
Wind River published an update. Products not affected by CVE-2021-45015.
Xylem published an advisory.
NOTE: Because of the importance of this topic, this is being published to both paid and free subscribers.