Hi guys,

So WinCC 7.4 without SP1 is vulnerable to this new security bug.

I am wondering of what part of WinCC is this referring to. I figured out that it may have be WinCC OPC UA server. If I dont want or dont know how to change log4j2.formatMsgNoLookups parameters, Can I somehow fully disable this feature in WinCC 7.4 if I dont use WinCC OPCUA server?

Info: https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf

SSA-661247: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products

SIMATIC WinCC V7.4: All versions < V7.4 SP1

 Update to V7.4 SP1 or later version
 https://support.industry.siemens.com/cs/ww/en/ view/109746038
 Only connect to trusted OPC UA servers
See further recommendations from section Workarounds and Mitigations 

WORKAROUNDS AND MITIGATIONS

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

• If the specific Siemens product allows it: Set the parameter log4j2.formatMsgNoLookups to ‘true’. This measure reduces (but not completely eliminates) the risk for remote command execution via CVE-2021-44228. It does not mitigate CVE-2021-45046.

• If the specific Siemens product allows it: Remove the JndiLookup class from the classpath: ’zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class’. This measure mitigates both CVE-2021-44228 and CVE-2021-45046.

• If the specific Siemens product allows it: Modify all PatternLayout patterns to specify the message converter as ‘%m{nolookups}’ instead of just ‘%m’. This measure reduces (but not completely eliminates) the risk for remote command execution via CVE-2021-44228. It does not mitigate CVE-2021-45046.

• If the specific Siemens product allows it: Update the Log4j component to 2.16.0 or later versions on the systems where the product is installed. This measure mitigates both CVE-2021-44228 and CVE-2021-45046.

In the latest update WinCC 7.4 is removed from the list:

https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf

V1.2 (2021-12-16): Added additional affected products, remediation or mitigation measures, and products under investigation; removed SIMATIC WinCC V7.4 because it is not affected

Hello,

I have seen that Siemens has taken out the V7.4 out of the vulnerability list. Does this mean that older versions of WinCC are also out of danger? 

I have 3 PC's with WinCC V7.3 and I'd like to know if they are vulnerable, meaning that I need to upgrade them.

Thanks for any info you can give me.

Regards,

Bigbor

Dear users and customers,

thanks for asking! 

This is the information we received from Product Management CERT:

Product Management CERT

WinCC V7.4 < V7.4 SP1 was listed in the advisory. There was a suspicion that it was affected. The suspicion has not been confirmed. For this reason the advisory was withdrawn. Older versions were never affected.
We will keep you up to date with all the relevant information within our cert advisories.

Best regards,
Jen_Moderator