More on the Siemens response to Log4Shell vulnerabilities, watching as a microcosm of Log4Shell response. Yesterday Siemens published a new advisory and today they updated their original advisory again.
Siemens published a new advisory discussing the Log4Shell vulnerabilities in their SPPA-T3000 SeS3000 Security Server. It lists two of the Log4Shell vulnerabilities:
• Deserialization of untrusted data – CVE-2021-45046
Siemens is currently providing generic workarounds pending development of mitigation measures.
• Adding additional affected products, remediation or mitigation measures, and products under investigation,
• Removing LOGO! Soft Comfort from the list of affected products,
• Expanding the Teamcenter product listing, and
• Updating the information for Desigo CC and Cerberus DMS.
NOTE 1: Siemens is still not reporting the new CVE-2021-4104 that has been mentioned by Adolus. Nor have they mentioned active exploitation of the vulnerabilities they are reporting (I have not seen any specific mentions of exploits in Siemens products).
NOTE 2: NCCIC-ICS has still not published an ICS related advisory for these vulnerabilities. They also did not cover the original Siemens advisory in their list of new advisories published yesterday.