SSA-661247: Apache Log4j Vulnerability (CVE-2021-44228, Log4Shell) - Impact to Siemens Products

Update vom 08.03.2022

SSA-661247_V2.6 (siemens.com)

Andere:

Ladies and Gentlemen,

for your information:

The following new advisories/bulletins have just been published on the Siemens ProductCERT web site [1]:

SSA-134279: Vulnerability in Mendix Forgot Password Appstore module

* <https://cert-portal.siemens.com/productcert/pdf/ssa-134279.pdf>

SSA-148641: XPath Constraint Vulnerability in Mendix Runtime

* <https://cert-portal.siemens.com/productcert/pdf/ssa-148641.pdf>

SSA-155599: File Parsing Vulnerabilities in COMOS

* <https://cert-portal.siemens.com/productcert/pdf/ssa-155599.pdf>

SSA-166747: Scene File Parsing Vulnerability in Simcenter STAR-CCM+ Viewer before V2022.1

* <https://cert-portal.siemens.com/productcert/pdf/ssa-166747.pdf>

SSA-223353: Multiple Vulnerabilities in Nucleus RTOS based SIMOTICS CONNECT 400

* <https://cert-portal.siemens.com/productcert/pdf/ssa-223353.pdf>

SSA-250085: Multiple Vulnerabilities in SINEC NMS

* <https://cert-portal.siemens.com/productcert/pdf/ssa-250085.pdf>

SSA-252466: Multiple Vulnerabilities in Climatix POL909 (AWM and AWB)

* <https://cert-portal.siemens.com/productcert/pdf/ssa-252466.pdf>

SSA-256353: Third-Party Component Vulnerabilities in RUGGEDCOM ROS

* <https://cert-portal.siemens.com/productcert/pdf/ssa-256353.pdf>

SSA-337210: Privilege Escalation Vulnerability in SINUMERIK MC

* <https://cert-portal.siemens.com/productcert/pdf/ssa-337210.pdf>

SSA-389290: Third-Party Component Vulnerabilities in SINEC INS

* <https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf>

SSA-406691: Buffer Vulnerabilities in DHCP function of RUGGEDCOM ROX products

* <https://cert-portal.siemens.com/productcert/pdf/ssa-406691.pdf>

SSA-415938: Improper Access Control Vulnerability in Mendix

* <https://cert-portal.siemens.com/productcert/pdf/ssa-415938.pdf>

SSA-562051: Cross-Site Scripting Vulnerability in Polarion ALM

* <https://cert-portal.siemens.com/productcert/pdf/ssa-562051.pdf>

SSA-594438: Remote Code Execution and Denial-of-Service Vulnerability in multiple RUGGEDCOM ROX products

* <https://cert-portal.siemens.com/productcert/pdf/ssa-594438.pdf>

SSA-764417: Multiple Vulnerabilities in RUGGEDCOM Devices

* <https://cert-portal.siemens.com/productcert/pdf/ssa-764417.pdf>

Additionally, the following advisories / bulletins have just been updated on the Siemens ProductCERT web site [1]:

SSA-244969: OpenSSL Vulnerability in Industrial Products

* <https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf>

* Added solution for SINUMERIK Operate; Added Industrial Edge products

SSA-301589: Multiple File Parsing Vulnerabilities in Solid Edge, JT2Go and Teamcenter Visualization

* <https://cert-portal.siemens.com/productcert/pdf/ssa-301589.pdf>

* Added remediation for Teamcenter Visualization version lines V12.4 and V13.3

SSA-306654: Insyde BIOS Vulnerabilities in Siemens Industrial Products

* <https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdf>

* Corrected AV:L for all CVEs, added RUGGEDCOM APE1808 and SIMATIC IPC477E PRO

SSA-309571: IPU 2021.1 Vulnerabilities in Siemens Industrial Products using Intel CPUs (June 2021)

* <https://cert-portal.siemens.com/productcert/pdf/ssa-309571.pdf>

* Added mitigation; clarified no remediation planned for SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP; added solution for SIMATIC IPC127E and SIMATIC ET 200SP Open Controller CPU 1515SP PC2

SSB-439005: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP

* <https://cert-portal.siemens.com/productcert/pdf/ssb-439005.pdf>

* Added CVE-2022-23308, CVE-2022-24407, CVE-2022-24448, CVE-2022-25235

SSA-462066: Vulnerability known as TCP SACK PANIC in Industrial Products

* <https://cert-portal.siemens.com/productcert/pdf/ssa-462066.pdf>

* Readded SCALANCE S615 to the list of affected products

SSA-501073: Vulnerabilities in Controllers CPU 1518 MFP using Intel CPUs (November 2020)

* <https://cert-portal.siemens.com/productcert/pdf/ssa-501073.pdf>

* Updated specific mitigations; clarified that no remediation is planned

SSA-534763: Special Register Buffer Data Sampling (SRBDS) aka Crosstalk in Industrial Products

* <https://cert-portal.siemens.com/productcert/pdf/ssa-534763.pdf>

* Added solution for SIMATIC IPC3000 SMART V2 and clarified that no further fixes are planned

SSA-541018: Embedded TCP/IP Stack Vulnerabilities (AMNESIA:33) in SENTRON PAC / 3VA Devices (Part 2)

* <https://cert-portal.siemens.com/productcert/pdf/ssa-541018.pdf>

* Added download link of update version for SENTRON PAC2200

SSA-669158: DNS Client Vulnerabilities in SIMOTICS CONNECT 400

* <https://cert-portal.siemens.com/productcert/pdf/ssa-669158.pdf>

* Added solution for CVE-2021-25677

SSA-669737: Improper Access Control Vulnerability in SICAM TOOLBOX II

* <https://cert-portal.siemens.com/productcert/pdf/ssa-669737.pdf>

* Updated Acknowledgments; Improved Mitigation Description

SSA-678983: Vulnerabilities in Industrial PCs and CNC devices using Intel CPUs (November 2020)

* <https://cert-portal.siemens.com/productcert/pdf/ssa-678983.pdf>

* Added solution for SIMATIC ET 200SP Open Controller CPU 1515SP PC2

SSA-703715: Information Disclosure Vulnerability in Climatix POL909 (AWM and AWB)

* <https://cert-portal.siemens.com/productcert/pdf/ssa-703715.pdf>

* Added product: Climatix POL909 (AWB module)

SSA-838121: Multiple Denial of Service Vulnerabilities in Industrial Products

* <https://cert-portal.siemens.com/productcert/pdf/ssa-838121.pdf>

* Added solution for SIMATIC S7-PLCSIM Advanced

SSA-840188: Multiple Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products

* <https://cert-portal.siemens.com/productcert/pdf/ssa-840188.pdf>

* Added Mitigation to CVE-2021-40358