Public ICS Disclosures - Log4Shell Advisories

12-14-21

Today I am taking an out-of-band look at ICS vendor disclosures for the Log4Shell vulnerability. I have not looked at my list of medical device vendors for this post, I may look at those later this week. For this post we have 21 vendor disclosures from Aruba, Broadcom, CODESYS, Dell, GE (2), HMS (5), HPE, Hitachi Energy, Johnson Controls, QNAP, Rockwell, Ruckus, Schneider Electric, SonicWall (update), VMware and Wind River. I am using a slightly different format for this post, separating advisories into four groups; not affected, still looking, affected products list, and mitigation.

Not Affected

CODESYS published a notice that none of their products are affected.

HMS published an advisory reporting that their Argos and HMS Hub web services are not affected.

HMS published an advisory reporting that their Ixxat products are not affected.

Vendors Still Looking at the Vulnerability

GE published a generic Log4Shell advisory.

GE published an advisory. It provides a list of GE Digital products that are not affected by Log4Shell, but evaluations on continuing on GE Digital Plant Manufacturing product family.

HMS published an advisory for their Anybus product line. They provide a list of unaffected products, but other products are still be evaluated.

HMS published an advisory for their WEBfactory product line. They provide a list of unaffected products, but other products are still be evaluated.

Hitachi Energy published an advisory. No specific products are listed either way.

Meinberg published an advisory. They report that LANTIME and microSync products are not affected. They are still waiting on word from 3rd party suppliers for the status of other products.

QNAP published an advisory. They report that their QTS, QuTS hero, Qsirch, and MinimServer are not affected. They are still waiting on word from 3rd party suppliers for the status of other products.

Johnson Controls published an advisory. No specific products are listed either way.

Schneider published an advisory. No specific products are listed either way.

Vendors With Affected Product Lists

Aruba published an advisory. Affected products include Silver Peak Orchestrator, though other products are still being evaluated. A list of unaffected products is provided.

HPE published an advisory. Affected products include some version of their XP Performance Advisory, SimpliVity, 3Par, SANnav, and Intelligent Management Center.

Ruckus published an advisory.  Ruckus has preliminarily determined that three products are affected and provides a short list of unaffected products. The remaining products remain under investigation.

SonicWall published an update for their advisory was originally published on December 10th, 202.. They updated the lists of affected and unaffected products.

Wind River published an advisory. They report one affected product, Wind River Studio Analytics. They provide a list of unaffected products.

Vendors With Mitigation Measures

Broadcom published an advisory. Affected products include some versions of Brocade SANnav. Mitigation steps (Dlog4j2 settings change) are outlined. A list of unaffected products is provided.

Dell published an advisory for their Dell Wyse Management Suite. They provide an update that mitigates the vulnerability. NOTE: Dell has advisories for other non-ICS related products as well.

HMS published an advisory for their EWON products. HMS has a new version for their eCatcher product and has fixed their Talk2M cloud infrastructure.  

Rockwell published an advisory. Rockwell identified a preliminary list of affected products and reports that they have all already had mitigation measures applied. The products include Plex IIot and Fiix CMMS core V5.

VMware published an update for their advisory was originally published on December 10th, 2021. They have versions that mitigate the vulnerability in selected products.

NOTE: Because of the importance of this topic, this is being published to both paid and free subscribers.