Public ICS Disclosures - Log4Shell Advisories
Week of 12-11-21
This is effectively Part 3 of my weekly public ICS disclosure post. It is a follow-up to Tuesday’s post for disclosures on Log4Shell vulnerabilities. For ease of finding disclosures, I will include all of those notifications from Tuesday’s post with a note of ‘no change’ if appropriate. And I will be using the same format. There are 66 vendor notifications listed in today’s post.
Behind Registration Wall
PCVue Solutions published an advisory.
Not Affected
Braun published an advisory reporting that none of their products are affected. Medical device vendor.
Braun (USA) published a statement reporting that none of their products are affected. Medical device vendor.
BR Automation published an advisory reporting that none of their products are affected.
Carestream published an advisory reporting that none of their products are affected. Medical device vendor.
Draeger published an advisory that none of their products are affected. Medical device vendor.
DrayTek published an advisory reporting that none of their products are affected.
CODESYS published a notice reporting that none of their products are affected.
HMS published an advisory reporting that their Argos and HMS Hub web services are not affected. No change.
HMS published an advisory reporting that their Ixxat products are not affected. No Change.
HMS published an advisory for their WEBfactory product line. Updated to not affected.
Meinberg published an advisory. Updated to report that none of their products are affected.
Sprecher published an advisory reporting that none of their products are affected.
Vendors Still Looking at the Vulnerability
Baxter published an advisory. Medical device vendor.
BD published an advisory. Provides list of unaffected products. Medical device vendor.
Boston Scientific published an advisory. Provides a list of unaffected products. Medical device vendor.
Emerson published an advisory. Provides lengthy list of unaffected products.
GE published an advisory. It provides a list of GE Digital products that are not affected by Log4Shell, but evaluations on continuing on GE Digital Plant Manufacturing product family.
GE Healthcare published a statement that they are looking at the problem. Medical device vendor.
Genetec published an advisory. Provides list of unaffected products. Still evaluating ATM Diebold plugin.
HMS published an advisory for their Anybus product line. They provide a list of unaffected products, but other products are still be evaluated. Unaffected product list updated.
Johnson Controls published an advisory. Added list of unaffected products.
Medtronic published an advisory. No specific products listed either way. Medical device vendor.
Moxa published an advisory. Provides link to list of not-affected products.
QNAP published an advisory. They are still waiting on word from 3rd party suppliers for the status of other products. Added QES to list of not-affected products.
Vendors With Affected Product Lists
Aruba published an update. A list of unaffected products is provided.
Eaton published an advisory that reports that they have directly contacted affected customers with affected products.
Hitachi Energy published a generic Log4Shell advisory.
HPE published an advisory. Affected products include some version of their XP Performance Advisory, SimpliVity, 3Par, SANnav, and Intelligent Management Center. Updated list of affected products.
Phenix Contact published a statement of the Log4Shell vulnerabilities. List of unaffected products. Working on mitigation measures for cloud products.
Philips published an advisory. Contains list of probably affected products. Medical device vendor.
SonicWall published an update for their advisory was originally published on December 10th, 202.. They updated the lists of affected and unaffected products.
Vendors With Mitigation Measures
ABB published an advisory (3rd revision). Reports that their ABB Remote Access Platform (RAP) is fixed.
Aruba published an advisory for their Silver Peak product. Mitigation measures are available.
Boston Scientific published a separate advisory for their Latitude product line. List LATITUDE Link™ as being affected and provides patch. Medical device vendor.
Broadcom published an advisory. Affected products include some versions of Brocade SANnav. Mitigation steps (Dlog4j2 settings change) are outlined. A list of unaffected products is provided. No change
Dell published an advisory for their Dell EMC Ruckus Wireless Controllers. They provide a link to updates for some of the affected products.
Dell published an advisory for their Dell Wyse Management Suite. They provide an update that mitigates the vulnerability. NOTE: Dell has advisories for other non-ICS related products as well. No change.
Fujitsu published an advisory for a wide range of products. Provides lists of affected, unaffected, and under investigation products. Provides new versions for some of the affected products.
Hitachi Energy published an advisory for their UNEM Products. They provide a new version for some of the affected products.
Hitachi Energy published an advisory for their FOXMAN-UN Products. They provide a new version for some of the affected products.
Hitachi Energy published an advisory for their Lumada Enterprise Asset Manager & Field Service Manager (EAMFSM) Products. They provide generic mitigation measures.
Hitachi Energy published an advisory for their y Counterparty Settlement and Billing (CSB) Product. They provide generic mitigation measures with a patch expected December 22nd.
Hitachi Energy published an advisory for their Network Manager Advanced Distributed Management System (NM-ADMS) Product. They provide generic mitigation measures.
Hitachi Energy published an advisory for their MMS Internal Facing Subcomponent. They report that a patch has been delivered.
Hitachi Energy published an advisory for their Lumada Asset Performance Management (APM) Product. They report that the Lumada APM Software-as-a-Service has been fixed. Generic mitigation measures are provided for remaining affected products.
Hitachi Energy published an advisory for their nMarket Global I-SEM. They provide a new version for both the SAAS and onsite versions.
Hitachi Energy published an advisory for their Network Manager SCADA/EMS Product. They provide generic mitigation measures.
Hitachi Energy published an advisory for their Axis Product. They report the SAAS product has been fixed.
HMS published an advisory for their EWON products. HMS has a new version for their eCatcher product and has fixed their Talk2M cloud infrastructure. Updated list of unaffected products.
HMS published an advisory for their Intesis product. They report the SAAS products are fixed.
HPE published an advisory for their HPE Service Director product. They have a new version that mitigates the vulnerabilities.
HPE published an advisory for their StoreServ Management Console. They have a new version that mitigates the vulnerabilities.
Prosys OPC published a blog post discussing the Log4Shell vulnerabilities. Provides list of affected and unaffected products. Lists mitigation measures for SDK product.
Rockwell published an advisory. Rockwell identified a preliminary list of affected products and reports that they have all already had mitigation measures applied. Updated affected product list and affected versions.
Ruckus published an update. Ruckus provides new versions for some of the affected products and expected release dates for many of the remainder.
Schneider published an advisory. Schneider provides new versions that use the 2.16 version of Log4j.
Sick published an advisory. Sick has a new version that mitigates the vulnerability in the affected products.
Spacelabs published an advisory. Provides list of unaffected products. Review on cloud product and has fixed a second cloud product.
VMware published an update. More new versions available for more of the affected products.
WIBU published an advisory. WIBU lists two affected products and has new versions for each.
Wind River published an update. Wind River lists one affected product and has a new version to mitigate the vulnerabilities.
Xylem published an advisory. Provides list of affected products and reports that patching is complete on two of those products.
NOTE: Because of the importance of this topic, this is being published to both paid and free subscribers.