More on the Siemens response to Log4Shell vulnerabilities, watching as a microcosm of Log4Shell response. Yesterday Siemens updated their original advisory again.
• Revising severity of CVE-2021-45046 and removed ineffective mitigation measures,
• Adding Comfy and Enlighted to the list of affected products,
• Adding individual Mindsphere applications,
• Removing Siveillance Viewpoint because it is not affected, and
• Adding a statement regarding Siemens Mobility solutions
I am still publishing these updates for the Siemens advisories outside of my normal advisory reporting process because, in my opinion, the Siemens response continues to mirror the problems that the general ICS community is having with responding to this vulnerability. While Siemens has more products to deal with than anyone else in the community, they also have a larger, more experienced (from the standpoint of dealing with vulnerability updates) staff, with which to deal with the problem.
And remember, Siemens has yet to address the third log4j vulnerability, CVE-2021-4104.