Today, Siemens published another new Log4Shell advisory and updated their original advisory.
New Advisory – Siemens published an advisory discussing the three Log4Shell advisories in their Energy Sensformer (Platform, Basic and Advanced).
One thing that has become obvious during my coverage of this set of vulnerabilities is that cloud versions of control system software appear to be ideally suited to responding to vulnerabilities. It looks like (from the outside) that it takes less time to develop mitigations and it certainly gets them into actual operations much faster. The only question is, how does this affect the ‘requirement’ to test patches, updates, and new versions off-line before they are run on operational systems? Yes, the vendors like Siemens certainly do inhouse testing ‘offline’, but that testing cannot include all of the other pieces of the control system that must physically reside in the plant like sensors, valves and motors. Is this not necessary for control system software as a service products?
For more details on these advisories, see my article at CFSN Detailed Analysis – https://patrickcoyle.substack.com/p/12-21-21-siemens-advisories-for-log4shell – subscription required.