DETAILS
Siemens is aware of the attacks disclosed by the media related to the Log4j vulnerability. This article reports any updates we have in regards of Opcenter and SIMATIC IT product families.
· Currently, there are no indications that attackers have managed to get access to customer data or
production services. Siemens is closely monitoring the situation.
· For Siemens products, a security advisory has been issued. Please see: https://cert-
portal.siemens.com/productcert/pdf/ssa-661247.pdf
Further below you will find the list of products that are impacted and possible workarounds.
Here a list of dedicated bulletins that are available for single products/families for which the analysis has been completed and that are generally not affected:
Opcenter EX CR: https://support.sw.siemens.com/knowledge-base/PL8600926
Opcenter EX FN: https://support.sw.siemens.com/knowledge-base/PL8601097
Opcenter EX PH: https://support.sw.siemens.com/knowledge-base/PL8601232
Opcenter APS: https://support.sw.siemens.com/knowledge-base/PL8601478
For more information, please review CVE-2021-44228.
GENERAL SECURITY RECCOMENDATIONS
As a general security measure, Siemens strongly recommends to protect network access to systems with appropriate mechanisms. In order to operate the systems in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.
Because of the complex nature of MES systems, Siemens strongly suggests all customers to analyze their specific environment for any potential threat coming from third-party tools that might be present in the infrastructure.
Siemens software works in conjunction with several third-party software components/products that are procured and deployed by customers from third parties on their own in preparation for the installation and/or use of Siemens software. Since Log4j is a widely used logging framework, some of these third-party software components/products may be impacted by this vulnerability. To ensure your Siemens software is as secure as possible, please refer to the security advisories issued by the respective vendors of those third-party software components/products.
AFFECTED PRODUCTS AND MITIGATIONS – LIST STILL IN PROGRESS –
Opcenter Intelligence
Opcenter Intelligence from V3.2 to V3.3.3 : OEM version of Tableau is affected by the vulnerability (please also see https://www.tableau.com/support/releases/server/2020.4.3). Please apply the following workaround.
set this parameter in the Java Virtual Machine: as cmdline parameter (‘-Dlog4j2.formatMsgNoLookups=true’) or as environment variable
(‘LOG4J_FORMAT_MSG_NO_LOOKUPS=”true”‘)
Opcenter Intelligence will distribute a patched version of Tableau when available.
Opcenter EX CR Process Automation Control (PAC)
The following components are affected within PAC:
Component: ZAM
Affected Version: –
Details: component does not use log4j2.x (uses log4j1.x)
Component: ZAM agent
Affected Version: –
Details: component does not use log4j2.x (uses log4j1.x)
Component: PAC
Affected Version: all versions between (including) 17.2.3 and 18.0.3
Details: –
Component: ActvieMQ
Affected Version: –
Details: component does not use log4j2.x (uses log4j1.x)
Component: zIF
Affected Version: –
Details: component does not use log4j2.x
Mitigation Strategies
In general, there are two strategies to fix the vulnerability:
- Upgrade to the latest version log4j 2.15.0
- Set the property: log4j2.formatMsgNoLookups=true
These strategies can be applied through the following options:
Option 1: Upgrade to PAC 18.1.x
PAC 18.1.x will be released on December 14th, 2021 upgrading to log4j 2.15.0 (strategy 1). Update applications (common layers) to this version.
Option 2: Update common layer ZAM module
Add the following property in the common layer:
$$SystemProperty$$log4j2.formatMsgNoLookups=true
The property has to be included in a property file like common.properties or pac-cs.properties depending on your template version (strategy 2).
Rollout common layer and application versions.
Option 3: Add property to ZAM_TS.properties (applicable for ZAM 6.2 and higher)
Add the following line to the file ZAM_TS.properties on all target systems. The file is located in the ZAM agent installation in folder <ZAM agent home folder>\resources.
$$SystemProperty$$log4j2.formatMsgNoLookups=true
After completing the above option(s), restart all PAC instances.
SIMATIC IT Report Manager 6.7
SIMATIC IT Report Manager 6.7 is based on SAP Business Object XI 3.1: this version has reached End of Life support on December 31, 2015 (End of Priority-One Support on December 31, 2017).
We are putting our best effort to evaluate if there is any possible impact to the assets related to the mentioned vulnerabilities, however we don’t have any official statement from the vendor for this specific version (please consult the SAP Knowledge Base article at https://userapps.support.sap.com/sap/support/knowledge/en/3129956).
Siemens has not identified any additional specific workarounds or mitigations. Please follow the General Security Recommendations.
To mitigate potential security risks on SIMATIC IT Report Manager 6.7, Siemens recommends to migrate to Opcenter Reporting.
SFB-OPCENTER_APS-8600875
Product Information:
- Product: OPCENTER_APS
- Product: OPCENTER_EX , Application: FOUNDATION
- Product: OPCENTER_EX , Application: CORE
- Product: OPCENTER_QL
- Product: OPCENTER_INTELL
- Product: OPCENTER_RDL
- Product: SIMATIC_IT
- Product: OPCENTER_CONN
- Product: OPCENTER_EX , Application: PHARMA