-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-661247: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products Publication Date: 2021-12-13 Last Update: 2022-08-09 Current Version: 3.0 CVSS v3.1 Base Score: 10.0 SUMMARY ======= On 2021-12-09, a vulnerability in Apache Log4j (a logging tool used in many Java-based applications) was disclosed, that could allow remote unauthenticated attackers to execute code on vulnerable systems. The vulnerability is tracked as CVE-2021-44228 and is also known as "Log4Shell". On 2021-12-14 an additional denial of service vulnerability (CVE-2021-45046) was published rendering the initial mitigations and fix in version 2.15.0 as incomplete under certain non- default configurations. Log4j versions 2.16.0 and 2.12.2 are supposed to fix both vulnerabilities. On 2021-12-17, CVE-2021-45046 was reclassified with an increased CVSS base score (from 3.7 to 9.0). The potential impact of CVE-2021-45046 now includes - besides denial of service - also information disclosure and local (and potential remote) code execution. Siemens is currently investigating to determine which products are affected and is continuously updating this advisory as more information becomes available. See section Additional Information for more details regarding the investigation status. Note: two additional vulnerabilities were published for Apache Log4j, the impact of which are documented in SSA-501673: https://cert- portal.siemens.com/productcert/pdf/ssa-501673.pdf (CVE-2021-45105) and SSA-784507: https://cert- portal.siemens.com/productcert/pdf/ssa-784507.pdf (CVE-2021-44832). AFFECTED PRODUCTS AND SOLUTION ============================== * Advantage Navigator Energy & Sustainability - Affected versions: All versions < 2021-12-13 - Remediation: Vulnerability CVE-2021-44228 fixed on central cloud service starting 2021-12-13; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * Advantage Navigator Software Proxy V6 - Affected versions: All versions < V6.3 - Remediation: Update to V6.3 or later version See further recommendations from section "Workarounds and Mitigations" * Building Operator Discovery Distribution for the Connect X200 Gateway - Affected versions: All versions < V3.0.30 - Remediation: Update to V3.0.30 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109805593/ * Building Operator Discovery Distribution for the Connect X300 Gateway - Affected versions: All versions < V3.0.29 - Remediation: Update to V3.0.29 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109805593/ * Building Twin - 360° Viewer - Affected versions: All versions - Remediation: Vulnerability CVE-2021-44228 fixed on central cloud service; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * Capital V2019.1 - Affected versions: All versions >= V2019.1 SP1912 < V2019.1 SP2204 only if Teamcenter integration feature is used - Remediation: Update to V2019.1 SP2204 or later version Find detailed mitigation steps at: https://support.sw.siemens.com/en- US/knowledge-base/MG618363 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en- US/product/861057055/downloads * Capital V2020.1 - Affected versions: All versions < 2020.1 SP2202 only if Teamcenter integration feature is used - Remediation: Update to V2020.1 SP2202 or later version Find detailed mitigation steps at: https://support.sw.siemens.com/en- US/knowledge-base/MG618363 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en- US/product/861057055/downloads * Capital V2021.1 - Affected versions: All versions < V2021.1 SP2202 only if Teamcenter integration feature is used - Remediation: Update to V2021.1 SP2202 or later version Find detailed mitigation steps at: https://support.sw.siemens.com/en- US/knowledge-base/MG618363 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en- US/product/861057055/downloads * Cerberus DMS V5.0 - Affected versions: All versions with Advanced Reporting EM installed - Remediation: Remove the JndiLookup class from the classpath. Detailed instructions are available at https://support.industry.siemens.com/cs/ww/en/view/109805562/ See further recommendations from section "Workarounds and Mitigations" * Cerberus DMS V5.1 - Affected versions: All versions with Advanced Reporting EM installed - Remediation: Remove the JndiLookup class from the classpath. Detailed instructions are available at https://support.industry.siemens.com/cs/ww/en/view/109805562/ See further recommendations from section "Workarounds and Mitigations" * COMOS - Affected versions: All versions < V10.4.2 only if Teamcenter PDI feature is used - Remediation: Update to V10.4.2 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109812011/ * cRSP - Affected versions: All versions < V13.17.2 - Remediation: Update to V13.17.2 was deployed on all cRSP services on 2021-12-21; no user actions necessary Note: Earlier versions of the product contained a vulnerable version of log4j, but no risk for exploitation could be identified. See further recommendations from section "Workarounds and Mitigations" * cRSP Operator Client Starter - Affected versions: All versions < V1.7.18 - Remediation: Update to V1.7.18 or later version, as provided via cRSP V13.17.2 or later version Note: Earlier versions of the product contained a vulnerable version of log4j, but no risk for exploitation could be identified. See further recommendations from section "Workarounds and Mitigations" * Desigo CC V3.0 - Affected versions: All versions with Advanced Reporting EM installed - Remediation: Remove the JndiLookup class from the classpath. Detailed instructions are available at https://support.industry.siemens.com/cs/ww/en/view/109805562/ See further recommendations from section "Workarounds and Mitigations" * Desigo CC V4.0 - Affected versions: All versions with Advanced Reporting EM installed - Remediation: Remove the JndiLookup class from the classpath. Detailed instructions are available at https://support.industry.siemens.com/cs/ww/en/view/109805562/ See further recommendations from section "Workarounds and Mitigations" * Desigo CC V4.1 - Affected versions: All versions with Advanced Reporting EM installed - Remediation: Remove the JndiLookup class from the classpath. Detailed instructions are available at https://support.industry.siemens.com/cs/ww/en/view/109805562/ See further recommendations from section "Workarounds and Mitigations" * Desigo CC V4.2 - Affected versions: All versions with Advanced Reporting EM installed - Remediation: Remove the JndiLookup class from the classpath. Detailed instructions are available at https://support.industry.siemens.com/cs/ww/en/view/109805562/ See further recommendations from section "Workarounds and Mitigations" * Desigo CC V5.0 - Affected versions: All versions with Advanced Reporting EM installed - Remediation: Remove the JndiLookup class from the classpath. Detailed instructions are available at https://support.industry.siemens.com/cs/ww/en/view/109805562/ See further recommendations from section "Workarounds and Mitigations" * Desigo CC V5.1 - Affected versions: All versions < V5.1 QU1 with Advanced Reporting EM installed - Remediation: Update to V5.1 QU1 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109807893/ * E-Car OC Cloud Application - Affected versions: All versions < 2021-12-13 - Remediation: Vulnerability CVE-2021-44228 fixed on central cloud service starting 2021-12-13; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * Energy Engage - Affected versions: V3.1 - Remediation: Find detailed remediation and mitigation information on the EnergyIP docs portal at: https://docs.emeter.com/display/public/WELCOME/Energy IP+Security+Advisory+for+Log4Shell+Vulnerability See further recommendations from section "Workarounds and Mitigations" * EnergyIP - Affected versions: V8.5, V8.6, V8.7, V9.0 - Remediation: Find detailed remediation and mitigation information on the EnergyIP docs portal at: https://docs.emeter.com/display/public/WELCOME/Energy IP+Security+Advisory+for+Log4Shell+Vulnerability Note: EnergyIP V8.5 and V8.6 applications are not directly affected, but CAS is. See further recommendations from section "Workarounds and Mitigations" * EnergyIP Prepay - Affected versions: All versions < V3.8.0.12 - Affected by vulnerabilities: - CVE-2021-44228 - Remediation: Update to V3.8.0.12 or later version See further recommendations from section "Workarounds and Mitigations" * Enlighted Amaze - Affected versions: All versions < 2021-12-10 - Remediation: Vulnerabilities fixed on central cloud services starting 2021-12-10; no user actions necessary For Comfy and Enlighted, see also chapter Additional Information below See further recommendations from section "Workarounds and Mitigations" * Enlighted Where - Affected versions: All versions < 2021-12-11 - Remediation: Vulnerabilities fixed on central cloud services starting 2021-12-11; no user actions necessary For Comfy and Enlighted, see also chapter Additional Information below See further recommendations from section "Workarounds and Mitigations" * Geolus Shape Search V10 - Affected versions: All versions >= V10.2 - Remediation: Remove the JndiLookup class from the classpath. Find detailed remediation and mitigation information at: https://support.sw.siemens.com/en-US/knowledge-base/PL8601468 See further recommendations from section "Workarounds and Mitigations" * Geolus Shape Search V11 - Affected versions: All versions - Remediation: Remove the JndiLookup class from the classpath. Find detailed remediation and mitigation information at: https://support.sw.siemens.com/en-US/knowledge-base/PL8601468 See further recommendations from section "Workarounds and Mitigations" * GMA-Manager - Affected versions: All versions >= V8.6.2j.398 < V8.6.2.472 - Remediation: Update to V8.6.2.472 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109805665/ * HEEDS Connect - Affected versions: All versions - Remediation: HEEDS Connect team will contact all impacted customers to deploy a new log4j version. This action will secure your installation against Log4Shell vulnerability. For further information see: https://support.sw.siemens.com/en-US/knowledge-base/PL8601661 See further recommendations from section "Workarounds and Mitigations" * HES UDIS - Affected versions: All versions - Remediation: Specific fix versions based on V6.0.2 and V6.0.3 were released and deployed for all affected projects See further recommendations from section "Workarounds and Mitigations" * Industrial Edge Hub - Affected versions: All versions < 2021-12-13 - Remediation: Vulnerabilities fixed on central cloud service starting 2021-12-13; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * Industrial Edge Management App (IEM-App) - Affected versions: All versions < V1.4.11 - Remediation: Update to V1.4.11 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://iehub.eu1.edge.siemens.cloud/ * Industrial Edge Management OS (IEM-OS) - Affected versions: All versions < V1.4.0-42 - Remediation: Update to V1.4.0-42 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://iehub.eu1.edge.siemens.cloud/ * jROS for Spectrum Power 4 - Affected versions: V4.70 SP9 - Remediation: Update to V4.70 SP9 Security Patch 1 or later version. Please contact your local Siemens representative. See further recommendations from section "Workarounds and Mitigations" * jROS for Spectrum Power 7 - Affected versions: V21Q4 - Remediation: Apply the patch. Please contact your local Siemens representative. See further recommendations from section "Workarounds and Mitigations" * Mendix Applications - Affected versions: All versions - Remediation: Although the Mendix runtime itself is not vulnerable to this exploit, we nevertheless recommend to upgrade log4j-core to the latest available version if log4j-core is part of your project. This advice is regardless of the JRE/JDK version the app runs on. See further recommendations from section "Workarounds and Mitigations" - Download: https://status.mendix.com/incidents/8j5043my610c * MindSphere App Management Cockpits (Developer& Operator) - Affected versions: All versions < 2021-12-16 - Remediation: Vulnerabilities fixed with update on 2021-12-16; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * MindSphere Asset Manager - Affected versions: All versions < 2021-12-16 - Remediation: Vulnerabilities fixed with update on 2021-12-16; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * Mindsphere Cloud Foundry - Affected versions: All versions < 2021-12-14 - Remediation: Although the Cloud Foundry environment itself is not vulnerable to this exploit, we nevertheless recommend to upgrade log4j-core to the latest available version if log4j-core is part of your project. https://support.sw.siemens.com/en-US/product/268530510/knowledge- base/PL8600797 See further recommendations from section "Workarounds and Mitigations" * Mindsphere Cloud Platform - Affected versions: All versions < 2021-12-11 - Remediation: Vulnerabilities fixed on central cloud service starting 2021-12-11; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * MindSphere IAM (User Management/ Settings) - Affected versions: All versions < 2021-12-16 - Remediation: Vulnerabilities fixed with update on 2021-12-16; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * MindSphere Integrated Data Lake - Affected versions: All versions < 2021-12-16 - Remediation: Vulnerabilities fixed with update on 2021-12-16; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * MindSphere Notification Service - Affected versions: All versions < 2021-12-16 - Remediation: Vulnerabilities fixed with update on 2021-12-16; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * MindSphere Predictive Learning - Affected versions: All versions < 2021-12-23 - Remediation: Vulnerabilities fixed with update on 2021-12-23; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * MindSphere Usage Transparency Service - Affected versions: All versions < 2021-12-16 - Remediation: Vulnerabilities fixed with update on 2021-12-16; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * MindSphere Visual Explorer - Affected versions: All versions < 2021-12-21 - Remediation: Vulnerabilities fixed with update on 2021-12-21; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * NX 1953 Series - Affected versions: All versions < V1973.4340 - Remediation: Update to V1973.4340 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600959 * NX 1980 Series - Affected versions: All versions < V2000.3400 - Remediation: Update to V2000.3400 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600959 * NX 2007 Series - Affected versions: All versions < V2008 - Remediation: Update to V2008 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600959 * NXpower Monitor - Affected versions: All versions < 2021-12-19 - Remediation: Vulnerabilities fixed on central cloud service starting 2021-12-19; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * Opcenter EX CP Process Automation Control - Affected versions: All versions >= V17.2.3 < V18.1 - Remediation: Update to V18.1 or later version to fix CVE-2021-44228 See further recommendations from section "Workarounds and Mitigations" * Opcenter Execution Core Process Automation Control - Affected versions: All versions >= V17.2.3 < V18.1 - Remediation: Update to V18.1 or later version to fix CVE-2021-44228 See further recommendations from section "Workarounds and Mitigations" * Opcenter Intelligence - Affected versions: All versions >= V3.2 < V3.5 only OEM version that ships Tableau - Remediation: Update to V3.5 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/ * Operation Scheduler - Affected versions: All versions >= V1.1.3 - Remediation: Update the UAA component to V75.8.3 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109805673/ * SENTRON powermanager V4 - Affected versions: V4.1, V4.2 - Remediation: Remove the JndiLookup class from the classpath. Detailed instructions are available at https://support.industry.siemens.com/cs/ww/en/view/109805602/ See further recommendations from section "Workarounds and Mitigations" * SIGUARD DSA - Affected versions: All versions >= 4.2 < 4.4.1 - Remediation: Update to V4.4.1 or later version See further recommendations from section "Workarounds and Mitigations" * SIMATIC IPC647D - Affected versions: All versions with affected Adaptec RAID - Remediation: Follow the remediation steps documented at https://ask.adaptec.com/app/answers/detail/a_id/17527/ Stop and disable autostart for maxView Storage Manager WebServer. Note: This software is not required for the underlying RAID to work Disable ports 8080/tcp and 8443/tcp in the firewall configuration of the IPC See further recommendations from section "Workarounds and Mitigations" * SIMATIC IPC647E - Affected versions: All versions with affected Adaptec RAID - Remediation: Update the driver for the SmartRAID controller to V2.6.6 or later version, available at https://storage.microsemi.com/en- us/support/raid/sas_raid/asr-3151-4i/ Stop and disable autostart for maxView Storage Manager WebServer. Note: This software is not required for the underlying RAID to work Disable ports 8080/tcp and 8443/tcp in the firewall configuration of the IPC See further recommendations from section "Workarounds and Mitigations" * SIMATIC IPC847D - Affected versions: All versions with affected Adaptec RAID - Remediation: Follow the remediation steps documented at https://ask.adaptec.com/app/answers/detail/a_id/17527/ Stop and disable autostart for maxView Storage Manager WebServer. Note: This software is not required for the underlying RAID to work Disable ports 8080/tcp and 8443/tcp in the firewall configuration of the IPC See further recommendations from section "Workarounds and Mitigations" * SIMATIC IPC847E - Affected versions: All versions with affected Adaptec RAID - Remediation: Update the driver for the SmartRAID controller to V2.6.6 or later version, available at https://storage.microsemi.com/en- us/support/raid/sas_raid/asr-3151-4i/ Stop and disable autostart for maxView Storage Manager WebServer. Note: This software is not required for the underlying RAID to work Disable ports 8080/tcp and 8443/tcp in the firewall configuration of the IPC See further recommendations from section "Workarounds and Mitigations" * SIMATIC IPC1047 - Affected versions: All versions with affected Adaptec RAID - Remediation: Update the driver for the SmartRAID controller to V2.6.6 or later version, available at https://storage.microsemi.com/en- us/support/raid/sas_raid/asr-3151-4i/ Stop and disable autostart for maxView Storage Manager WebServer. Note: This software is not required for the underlying RAID to work Disable ports 8080/tcp and 8443/tcp in the firewall configuration of the IPC See further recommendations from section "Workarounds and Mitigations" * SIMATIC IPC1047E - Affected versions: All versions with affected Adaptec RAID - Remediation: Update the driver for the SmartRAID controller to V2.6.6 or later version, available at https://storage.microsemi.com/en- us/support/raid/sas_raid/asr-3151-4i/ Stop and disable autostart for maxView Storage Manager WebServer. Note: This software is not required for the underlying RAID to work Disable ports 8080/tcp and 8443/tcp in the firewall configuration of the IPC See further recommendations from section "Workarounds and Mitigations" * Simcenter 3D - Affected versions: All versions < 2022.1-2008 - Remediation: Update to 2022.1-2008 or later version Find detailed remediation and mitigation information at: https://support.sw.siemens.com/en-US/knowledge-base/PL8601203 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8603477 * Simcenter Amesim - Affected versions: All versions only if Teamcenter integration feature is used - Remediation: Update Teamcenter to any fix version available for the different version lines of Teamcenter, see https://support.sw.siemens.com/en- US/knowledge- base/PL8600700 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8601572 * Simcenter System Architect - Affected versions: All versions only if Teamcenter integration feature is used - Remediation: Update Teamcenter to any fix version available for the different version lines of Teamcenter, see https://support.sw.siemens.com/en- US/knowledge- base/PL8600700 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8601662 * Simcenter System Simulation Client for Git - Affected versions: All versions < V2021.2.2 - Remediation: Update to V2021.2.2 or later version Find detailed mitigation steps for both server and client installations at: https://support.sw.siemens.com/en-US/knowledge- base/PL8602538 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com * Simcenter Testlab - Affected versions: All versions >= 2021.1 - Remediation: Follow the remediation steps documented at: https://support.sw.siemens.com/en- US/knowledge-base/PL8602466 See further recommendations from section "Workarounds and Mitigations" * Simcenter Testlab Data Management - Affected versions: All versions - Remediation: Simcenter Testlab Data Management team will contact all impacted customer to deploy the mitigation measures. This action will secure your installation against Log4Shell vulnerability. For further information see: https://support.sw.siemens.com/en-US/knowledge- base/PL8601418 See further recommendations from section "Workarounds and Mitigations" * SiPass integrated V2.80 - Affected versions: All versions - Remediation: Apply the patch See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109805711/ * SiPass integrated V2.85 - Affected versions: All versions < V2.85.7.5 - Remediation: Update to V2.85.7.5 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109801507/ * Siveillance Command - Affected versions: All versions >= V4.16.2.1 - Remediation: Vulnerabilities fixed for Command installations on a project basis; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * Siveillance Control Pro V2.1 - Affected versions: All versions - Remediation: A hotfix is available; please contact customer support to receive the hotfix See further recommendations from section "Workarounds and Mitigations" * Siveillance Control Pro V2.2 - Affected versions: All versions < V2.2.7 - Remediation: Update to V2.2.7 or later version; please contact customer support to receive the latest version See further recommendations from section "Workarounds and Mitigations" * Siveillance Control Pro V2.3 - Affected versions: All versions < V2.3.2 - Remediation: Update to V2.3.2 or later version; please contact customer support to receive the latest version See further recommendations from section "Workarounds and Mitigations" * Siveillance Identity V1.5 - Affected versions: All versions - Remediation: Update to V1.5 SP4 and apply the patch See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109805657/ * Siveillance Identity V1.6 - Affected versions: All versions - Remediation: Update to V1.6 SP1 and apply the patch See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109805657/ * Siveillance Vantage - Affected versions: All versions - Remediation: Vulnerabilities fixed for Vantage installations on a project basis; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * Solid Edge CAM Pro - Affected versions: All versions < V2008 - Remediation: Update to V2008 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/ * Solid Edge Wiring and Harness Design - Affected versions: All versions >= V2020 SP2002 < V2022 SP2202 only if Teamcenter integration feature is used - Remediation: Update to V2022 SP2202 or later version Find detailed mitigation steps at: https://support.sw.siemens.com/en- US/knowledge-base/MG618363 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en- US/product/246738425/downloads * Spectrum Power 4 - Affected versions: All versions >= V4.70 SP8 < V4.70 SP9 Security Patch 1 - Remediation: Update to V4.70 SP9 and apply Security Patch 1. Please contact your local Siemens representative. See further recommendations from section "Workarounds and Mitigations" * Spectrum Power 7 - Affected versions: All versions >= V2.30 SP2 - Remediation: Update to V21Q4 and apply the patch. Please contact your local Siemens representative. See further recommendations from section "Workarounds and Mitigations" * Teamcenter Active Workspace V4.3 - Affected versions: All versions < V4.3.13 - Remediation: Update to V4.3.13 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter Active Workspace V5.0 - Affected versions: All versions < V5.0.11 - Remediation: Update to V5.0.11 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter Active Workspace V5.1 - Affected versions: All versions < V5.1.8 - Remediation: Update to V5.1.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter Active Workspace V5.2 - Affected versions: All versions < V5.2.6 - Remediation: Update to V5.2.6 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter Deployment Center V4.0 - Affected versions: All versions < V4.0.3 - Remediation: Update to V4.0.3 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter Deployment Center V4.1 - Affected versions: All versions < V4.1.1.1 - Remediation: Update to V4.1.1.1 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter Deployment Center V4.2 - Affected versions: All versions < V4.2.0.2 - Remediation: Update to V4.2.0.2 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter EDA V5.1 - Affected versions: All versions < V5.1.5 - Remediation: Update to V5.1.5 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter EDA V5.2 - Affected versions: All versions < V5.2.3 - Remediation: Update to V5.2.3 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter Integration for CATIA - Affected versions: All versions < 13.0.1.2 - Remediation: Update to V13.0.1.2 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/knowledge- base/PL8602463 * Teamcenter Integration Framework V3.3 - Affected versions: All versions <= V3.3.0.7 - Remediation: Update to V3.3.0.7 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter Integration Framework V4.0 - Affected versions: All versions <= V4.0.0.2 - Remediation: Update to V4.0.0.2 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter Integration Framework V13.0 - Affected versions: All versions <= V13.0.0.2 - Remediation: Update to V13.0.0.2 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter Integration Framework V13.1 - Affected versions: All versions <= V13.1.0.1 - Remediation: Update to V13.1.0.1 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter Integration Framework V13.2 - Affected versions: All versions <= V13.2.0.1 - Remediation: Update to V13.2.0.1 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter MBSE Gateway V4.1 - Affected versions: All versions < V4.1.2 - Remediation: Update to V4.1.2 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter MBSE Gateway V4.2 - Affected versions: All versions < V4.2.3 - Remediation: Update to V4.2.3 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter MBSE Gateway V4.3 - Affected versions: All versions < V4.3.3 - Remediation: Update to V4.3.3 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter MBSE Gateway V5.0 - Affected versions: All versions < V5.0.6 - Remediation: Update to V5.0.6 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter MBSE Gateway V5.1 - Affected versions: All versions < V5.1.5 - Remediation: Update to V5.1.5 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter MBSE Gateway V5.2 - Affected versions: All versions < V5.2.4 - Remediation: Update to V5.2.4 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter Microservices Framework V5.1 - Affected versions: All versions < V5.1.8 - Remediation: Update to V5.1.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter Microservices Framework V5.2 - Affected versions: All versions < V5.2.6 - Remediation: Update to V5.2.6 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter Reporting and Analytics V11 - Affected versions: All versions >= V11.3 - Remediation: Remove the JndiLookup class from the classpath. Find detailed remediation and mitigation information at: https://support.sw.siemens.com/en-US/knowledge-base/PL8600700 See further recommendations from section "Workarounds and Mitigations" * Teamcenter Reporting and Analytics V12.2 - Affected versions: All versions < V12.2.8 - Remediation: Update to V12.2.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/enUS/knowledge- base/PL8600700 * Teamcenter Reporting and Analytics V12.3 - Affected versions: All versions < V12.3.11 - Remediation: Update to V12.3.11 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/enUS/knowledge- base/PL8600700 * Teamcenter Reporting and Analytics V12.4 - Affected versions: All versions < V12.4.1 - Remediation: Update to V12.4.1 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/enUS/knowledge- base/PL8600700 * Teamcenter Reporting and Analytics V13 - Affected versions: All versions < V13.2.1.1 - Remediation: Update to V13.2.1.1 or V13.3.0.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/enUS/knowledge- base/PL8600700 * Teamcenter Technical Publishing - Affected versions: All versions >= V2.10 < V13.0.1 - Remediation: Update to V13.0.1 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/knowledge- base/PL8612040 * Teamcenter V12.1 - Affected versions: All versions < V12.1.0.14 - Remediation: Update to V12.1.0.14 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter V12.2 - Affected versions: All versions < 12.2.0.18 - Remediation: Update to V12.2.0.18 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter V12.3 - Affected versions: All versions < V12.3.0.15 - Remediation: Update to V12.3.0.15 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter V12.4 - Affected versions: All versions < V12.4.0.12 - Remediation: Update to V12.4.0.12 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter V13.0 - Affected versions: All versions < V13.0.0.9 - Remediation: Update to V13.0.0.9 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter V13.1 - Affected versions: All versions < V13.1.0.8 - Remediation: Update to V13.1.0.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter V13.2 - Affected versions: All versions < V13.2.0.6 - Remediation: Update to V13.2.0.6 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Teamcenter V13.3 - Affected versions: All versions < V13.3.0.1 - Remediation: Update to V13.3.0.1 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8600700 * Tecnomatix eBOP Manager Server - Affected versions: V14.1, V15.0, V15.1, V15.1.2, V16.0, V16.0.1, V16.0.2, V16.1, V16.1.1, V16.1.2 - Remediation: Apply the hotfix See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8602057 * Tecnomatix Intosite - Affected versions: All versions - Remediation: Vulnerabilities fixed on central cloud service; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * Tecnomatix Plant Simulation - Affected versions: V15.0, V16.0, V16.1 only if TCCS is installed - Remediation: Download and install the updated TCCS setup from the Siemens Support Center; for details see https://support.sw.siemens.com/knowledge- base/PL8615527 See further recommendations from section "Workarounds and Mitigations" * Tecnomatix Process Designer - Affected versions: All versions >= V14.1 - Remediation: Apply the hotfix, available for versions V14.1, V15.0, V15.1, V15.1.2, V16.0, V16.0.1, V16.0.2, V16.1, V16.1.1, V16.1.2 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8602057 * Tecnomatix Process Simulate - Affected versions: All versions >= V14.1 - Remediation: Apply the hotfix, available for versions V14.1, V15.0, V15.1, V15.1.2, V16.0, V16.0.1, V16.0.2, V16.1, V16.1.1, V16.1.2 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8602057 * Tecnomatix Process Simulate VCLite - Affected versions: All versions >= V14.1 - Remediation: Apply the hotfix, available for versions V14.1, V15.0, V15.1, V15.1.2, V16.0, V16.0.1, V16.0.2, V16.1, V16.1.1, V16.1.2 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8602057 * Tecnomatix RobotExpert - Affected versions: All versions >= V14.1 - Remediation: Apply the hotfix, available for versions V14.1, V15.0, V15.1, V15.1.2, V16.0, V16.0.1, V16.0.2, V16.1, V16.1.1, V16.1.2 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/knowledge- base/PL8602057 * Valor Parts Library - VPL Direct - Affected versions: V6.0, V6.1 - Remediation: Vulnerabilities fixed on remote VPL server; no user actions necessary See further recommendations from section "Workarounds and Mitigations" * Valor Parts Library - VPL Server or Service - Affected versions: V6.0, V6.1 - Remediation: Remove the JndiLookup class from the classpath. Find detailed remediation and mitigation information at: https://support.sw.siemens.com/knowledge-base/MG618362 See further recommendations from section "Workarounds and Mitigations" * VeSys V2019.1 - Affected versions: All versions >= 2019.1 SP1912 only if Teamcenter integration feature is used - Remediation: Currently no fix is planned Find detailed mitigation steps at: https://support.sw.siemens.com/en- US/knowledge-base/MG618363 See further recommendations from section "Workarounds and Mitigations" * VeSys V2020.1 - Affected versions: All versions < V2020.1 SP2202 only if Teamcenter integration feature is used - Remediation: Update to V2020.1 SP2202 or later version Find detailed mitigation steps at: https://support.sw.siemens.com/en- US/knowledge-base/MG618363 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en- US/product/852852123/downloads * VeSys V2021.1 - Affected versions: All versions < V2021.1 SP2202 only if Teamcenter integration feature is used - Remediation: Update to V2021.1 SP2202 or later version Find detailed mitigation steps at: https://support.sw.siemens.com/en- US/knowledge-base/MG618363 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en- US/product/852852123/downloads * Xpedition Enterprise (XCR) VX.2.10 - Affected versions: All versions < VX.2.10 Update 4 - Remediation: Update to VX.2.10 Update 4 or later version Additional information is available at https://support.sw.siemens.com/en- US/product/1644094854/knowledge- base/MG618343 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/product/1644094854/download/2022 01034 * Xpedition Enterprise VX.2.6 - Affected versions: All versions - Remediation: Apply the hotfix See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/product/1644094854/knowledge- base/MG618343 * Xpedition Enterprise VX.2.7 - Affected versions: All versions < VX.2.7 Update 19 - Remediation: Update to VX.2.7 Update 19 or later version Additional information is available at https://support.sw.siemens.com/en- US/product/1644094854/knowledge- base/MG618343 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/product/852852130/download/20220 1039 * Xpedition Enterprise VX.2.8 - Affected versions: All versions < VX.2.8 Update 13 - Remediation: Update to VX.2.8 Update 13 or later version Additional information is available at https://support.sw.siemens.com/en- US/product/1644094854/knowledge- base/MG618343 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/product/852852130/download/20220 1037 * Xpedition Enterprise VX.2.10 - Affected versions: All versions < VX.2.10 Update 4 - Remediation: Update to VX.2.10 Update 4 or later version Additional information is available at https://support.sw.siemens.com/en- US/product/1644094854/knowledge- base/MG618343 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/product/852852130/download/20220 1033 * Xpedition IC Packaging (XCR) VX.2.10 - Affected versions: All versions < VX.2.10 Update 4 - Remediation: Update to VX.2.10 Update 4 or later version Additional information is available at https://support.sw.siemens.com/en- US/product/1644094854/knowledge- base/MG618343 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/product/1644094857/download/2022 01036 * Xpedition IC Packaging VX.2.6 - Affected versions: All versions - Remediation: Apply the hotfix See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/product/1644094854/knowledge- base/MG618343 * Xpedition IC Packaging VX.2.7 - Affected versions: All versions < VX.2.7 Update 19 - Remediation: Update to VX.2.7 Update 19 or later version Additional information is available at https://support.sw.siemens.com/en- US/product/1644094854/knowledge- base/MG618343 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/product/1091814625/download/2022 01040 * Xpedition IC Packaging VX.2.8 - Affected versions: All versions < VX.2.8 Update 13 - Remediation: Update to VX.2.8 Update 13 or later version Additional information is available at https://support.sw.siemens.com/en- US/product/1644094854/knowledge- base/MG618343 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/product/1091814625/download/2022 01038 * Xpedition IC Packaging VX.2.10 - Affected versions: All versions < VX.2.10 Update 4 - Remediation: Update to VX.2.10 Update 4 or later version Additional information is available at https://support.sw.siemens.com/en- US/product/1644094854/knowledge- base/MG618343 See further recommendations from section "Workarounds and Mitigations" - Download: https://support.sw.siemens.com/en-US/product/1091814625/download/2022 01035 WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * If the specific Siemens product allows it: Remove the JndiLookup class from the classpath: 'zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class'. This measure mitigates both CVE-2021-44228 and CVE-2021-45046. Note: in case you reinstall or update the product to a yet unfixed version later: check if the vulnerable JndiLookup class has to be removed again. * If the specific Siemens product allows it: Update the Log4j component to 2.16.0 or later versions on the systems where the product is installed. This measure mitigates both CVE-2021-44228 and CVE-2021-45046. Note: in case you reinstall or update the product to a yet unfixed version later: check if the Log4j component has to be updated again. * If, for a particular product listed in the table above, no remediation or specific mitigation is given: Block both incoming and outgoing connections between the system and the Internet. Product specific remediations or mitigations can be found in the section "Affected Products and Solution". Please follow the "General Security Recommendations". GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial- security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== APOGEE Insight software provides an easy-to-use graphical interface to manage and control a building. Aprisa is a route-centric physical design platform for the modern SoC. Austemper products form an end-to-end tool suite to analyze, augment and verify functional safety in system-on-chip (SoC), application specific integrated circuit (ASIC) and intellectual property (IP) designs ensuring they meet functional safety requirements. Building Twin is a cloud-based software providing multi tenancy concepts and APIs for accessing building data of the digital replica of the building. Building Twin and 360° Viewer enables application development based on location aware building data including live data of the building. For digitization of brownfield buildings or documentation of the progress during construction the NavVis IVION Viewer utilizes the combination of 360° panoramic images with highly precise point clouds created by laser scans. CADRA is a unique portfolio of affordable, easy-to-use 2.5D drafting software that allows you to reuse existing geometry within a drawing. Calibre Design Solutions delivers a complete IC verification and DFM optimization platform. Calibre IC Manufacturing products ensure fast ramp and maximum process yield through the entire technology node life cycle. Capital is a comprehensive E/E systems development solution for complex platforms in automotive, aerospace, and adjacent industries. Catapult provides solutions for High-Level Synthesis and Verification via C++ and SystemC language support, FPGA and ASIC independence and more. Cerberus DMS is a danger management station that helps users manage fire safety and security events. Cerberus PACE is a public address and voice alarm (PA/VA) system for office or public buildings. It can be used for everyday operation like playing background music or ensuring controlled evacuation in case of an emergency. Comfy is a workplace experience app that gives employees personal control, while delivering operational results for workplace teams. COMOS is a unified data platform for collaborative plant design, operation and management that supports collecting, processing, saving, and distributing of information throughout the entire plant lifecycle. Connect X200 Gateways are designed to connect building devices to cloud applications such as Building Operator or Cerberus Cloud Apps through the internet. Connect X300 Gateways are designed to connect building devices to cloud applications such as Building Operator or Cerberus Cloud Apps through the internet. cRSP (common Remote Service Platform) provides system-specific access and remote services for automation systems. Desigo CC is the integrated building management platform for managing high-performing buildings. With its open design, it has been developed to create comfortable, safe and efficient facilities. It is easily scalable from simple single-discipline systems to fully integrated buildings. Desigo CC Compact extends the portfolio with a tailored solution for small and medium-sized buildings. Desigo Insight is the BACnet management station of the Desigo building automation and control system that works with the automation stations Desigo PX, Desigo TRA (Total Room Automation) and BACnet third-party. E-Car OC (E-Car Operation Center) is a cloud service that manages charging infrastructures for electric vehicles (EVs), both in domestic and public or semi-public areas. EnergyIP applications enable utilities, retailers, DSO's and market operators proven technology to meet the needs and requirements of the energy sector. EnergyIP Prepay is an end-to-end solution for smart prepaid energy management. It features flexible tariff management, real-time rating and charging, convenient payment, and recharging options as well as intelligent energy consumption control features. Enlighted Amaze is a back-end service for the cloud-based Enlighted applications. Enlighted Manage is available as a cloud-based software or on-premise server stores, performs analysis, and provides visual reporting of sensor data. In addition to being the collection point for energy, occupancy, and environmental data captured by the Enlighted Sensors, Manage provides a web-based user interface for lighting system management, IoT device management, and optimizing building system performance. Enlighted Where application reliably locates people and assets in real-time in a building or across buildings anywhere in an enterprise. FIN Framework (FIN) is a software framework with application suites that can integrate, control, manage, analyze, visualize and connect. Geolus Shape Search is a geometry-based 3D search engine for both single and multi-CAD environment PLM stakeholders. HDL Designer Series (HDS) products combine deep analysis capabilities, advanced creation editors, and complete project and flow management, to deliver a powerful HDL design environment that increases productivity of individual engineers and teams (local or remote) and enable a repeatable and predictable design process. HyperLynx provides integrated signal integrity, power integrity, 3D electromagnetic modeling & electrical rule checking for high-speed digital PCB designs. Industrial Edge Management (IEM) enables a centralized management of Siemens Industrial Edge Devices and Edge Applications. IEM is tailored to customer’s needs and is operated by the customer (on-premises). inFact is a graph-based verification tool that generates/directs test stimulus for the testbench during the functional verification of digital hardware designs. SIMATIC IT Report Manager provides a set of tools for reporting, composed of engineering tools and runtime tools. jROS (joint Resource Optimization and Scheduler) is a collection of forecasting and planning applications for the energy market. It is designed as a shared component of Spectrum Power. It may also be used as a stand-alone planning system or integrated in a SCADA/EMS System. LOGO! Soft Comfort is an engineering software to configure and program LOGO! BM (Base Module) devices. Mendix is a high productivity app platform that enables you to build and continuously improve mobile and web applications at scale. The Mendix Platform is designed to accelerate enterprise app delivery across your entire application development lifecycle, from ideation to deployment and operations. MindSphere Developer Cockpit can be used to manage your applications. MindSphere Operator Cockpit can be used to transfer applications from a Developer Cockpit, deploy the Cloud Foundry applications, register self-hosted applications, etc. MindSphere Asset Manager can be used to onboard and offboard agents to your account, configure assets, asset types and aspect types. MindSphere Cloud Foundry Org is an environment to host, test and operate applications. MindSphere is the leading industrial IoT as a service solution. Using advanced analytics and AI, MindSphere powers IoT solutions from the edge to the cloud with data from connected products, plants and systems to optimize operations, create better quality products and deploy new business models. MindSphere Identity and Access Management are services available via their respective MindSphere APIs. These services are used to manage users, customers/subtenants, roles and scopes. MindSphere Integrated Data Lake allows you to store data as an object, bring together data from different sources and use it with applications and tools. You can organize data in different folders, associate it with metadata tags, search and delete objects. MindSphere Notification Service is available via its respective MindSphere APIs. This service enables you to send emails, mobile push notifications and SMS in relation to certain events defined by you or send email notifications to (a group of) individual recipients. MindSphere Predictive Learning allows you to build predictive models through machine learning techniques, enabling companies to optimize product quality as well as reduce potential field failures and performance issues. You can employ diverse machine learning algorithms. It also allows you to build and execute predictive models in Python, R and Spark. MindSphere Usage Transparency Service is a service available via its respective MindSphere APIs. This service offers insight on your consumption of certain resources and corresponding limits of your MindAccess plans and other subscribed services, e.g., API calls, number of users, inbound traffic and data storage volume. Moreover, developers can define metrics within this service so that consumption can be tracked. MindSphere Visual Explorer enables you to visualize certain parts of your content. Such visualizations can be combined into dashboards, which may be used to analyse the performance of connected assets. ModelSim is an application to simulate, debug, and validate FPGA and SoC designs. ModelSim simulates behavioral, RTL, and gate-level code - delivering increased design quality and debug productivity with platform-independent compile. Advantage Navigator is a cloud-based advanced analytics platform designed to help you optimize the performance of your buildings. Novigo is an EN 54-16-certified multi-channel digital audio system for demanding digital and network-based public address and evacuation applications. NX software is an integrated toolset that helps to develop design, simulation, and manufacturing solutions by supporting various aspects of product development allowing the designer to optimize shape to achieve a multidisciplinary design. NXpower Monitor is a cloud-based application to start and accompany your digital journey in energy distribution. It enables you to monitor and visualize your electrical assets throughout the world at all times and from any location. Opcenter APS (formerly known as "Preactor APS") is a family of production planning and scheduling software products that help you better orchestrate manufacturing processes. Opcenter Intelligence (formerly known as "Manufacturing Intelligence") connects, organizes and aggregates manufacturing data from disparate company sources into cohesive, intelligent and contextualized information. Operation Scheduler is a tool that enables security operators to intelligently perform routine tasks. It can be used to schedule maintenance tasks. PADS Professional is an integrated PCB design and verification flow for hardware engineers and small workgroups that delivers compatibility with Xpedition technology and extended collaboration for PCB engineering projects. PADS Standard and Standard Plus provide PCB schematic design and layout capabilities in an intuitive and easy-to-use environment. PartQuest is a cloud-based design, modeling, simulation, and analysis environment for electronic and mechatronic circuits and systems. Tecnomatix Plant Simulation allows you to model, simulate, explore and optimize logistics systems and their processes. These models enable analysis of material flow, resource utilization and logistics for all levels of manufacturing planning from global production facilities to local plants and specific lines, well in advance of production execution. Questa Design Solution is an automated and integrated suite of IC verification tools for designers to improve initial RTL quality. Questa Formal Verification Apps complement simulation-based RTL design verification by analyzing all possible design behaviors to detect any reachable error states. This analysis ensures critical control blocks work correctly in all cases and locates design errors that may be missed in simulation. Questa Simulation products are used worldwide to simulate, debug, and verify integrated circuit designs, enabling design and verification engineering team to accelerate time-to-market of high-quality, high-complexity ASIC and FPGA designs. Questa Verification IP (VIP) provides coverage across a broad portfolio of over 100 standard interface protocols. Questa VIP delivers a complete verification solution including ready-to use test plans, test suites, checkers, and coverage models. Tecnomatix RobotExpert is an easy-to-deploy, robot simulation and offline programming software that enables you to perform complete 3D modeling, visualization and simulation of your automation systems including robots, tooling and peripheral equipment. SENTRON powermanager power monitoring software analyzes energy consumption by displaying important characteristics for individual devices and for the entire system on an easy-to-understand dashboard. SIGUARD DSA is a model-based dynamic stability assessment tool for online control room use and offline operational planning purposes. SIMATIC IPC (Industrial PC) is the hardware platform for PC-based automation from Siemens. SIMATIC WinCC is a supervisory control and data acquisition (SCADA) system. Simcenter 3D is a comprehensive, fully-integrated CAE solution for complex, multidisciplinary product performance engineering. Simcenter Amesim is an integrated, scalable system simulation platform, allowing system simulation engineers to virtually assess and optimize the performance of mechatronic systems. Simcenter System Architect is a co-simulation platform for multiple heterogeneous models, enabling collaboration across domain boundaries and siloes. Simcenter System Simulation Client for Git provides a smart way of day-to-day versioning of systems simulation architecture, models and libraries. Simcenter Testlab is a complete, integrated solution for test-based engineering, combining high-speed multi-physics data acquisition with a full suite of integrated testing, analytics, and modeling tools for a wide range of test needs. SiPass integrated is a powerful and extremely flexible access control system. SIPORT is a comprehensive, modular and reliable system for access control and time management within the Siveillance Access Suite. Siveillance Control, formerly known as Siveillance Viewpoint, is a Physical Security Information Management system (PSIM) that seamlessly consolidates a variety of safety and security systems, such as access control, intrusion detection, and video surveillance, all on one common platform. Siveillance Control Pro is a command and control solution, specifically designed to support security management at critical infrastructure sites such as ports, airports, oil and gas power generation and distribution, chemical and pharma industries, heavy industries and campus environments. Siveillance Vantage is an innovative and advanced software solution for mission critical security command and control centers operating critical infrastructure applications. Solid Edge is a portfolio of software tools that addresses various product development processes: 3D design, simulation, manufacturing and design management. Solid Edge CAM Pro is a modular, flexible configuration of numerical control (NC) programming solutions. Solid Edge Wiring and Harness Design is a graphical design application for creating harness and formboard drawings. Spectrum Power provides basic components for SCADA, communications, and data modeling for control and monitoring systems. Application suites can be added to optimize network and generation management for all areas of energy management. Teamcenter software is a modern, adaptable product lifecycle management (PLM) system that connects people and processes, across functional silos, with a digital thread for innovation. Teamcenter Active Workspace is a web application for accessing the Teamcenter system that provides an identical and seamless experience on any computer or smart device. Teamcenter Deployment Center is a web based installer that helps to easily install, patch, and upgrade Teamcenter software across a various other environments. Teamcenter EDA allows to edit and release design variants where users can map item attributes to the associated variant and generate a BOM appropriate for each design variant. Teamcenter Integration for CATIA enhances your CATIA environment with a full range of product lifecycle management (PLM) capabilities. Teamcenter Integration Framework (TcIF) integrates Teamcenter with other systems, helping to automate processes which cross system boundaries. Teamcenter MBSE (model-based systems engineering) is a critical part of Teamcenter product lifecycle management (PLM) that allows to do multi-domain product development. Teamcenter Microservices Framework (TcMSF) manages the microservices of Teamcenter applications in a distributed environment, and provides the Service Registry and the Service Dispatcher. Teamcenter Reporting and Analytics is a collaborative real-time or near realtime business intelligence/analytics (BI) product. Teamcenter Structured Content Management and Technical Publishing suite helps for automating the activities associated with authoring, assembling and publishing complex product and/or service documentation in multiple languages and delivery formats. Tecnomatix eBOP Manager Server is part of the Tecnomatix digital manufacturing solutions. It is built on the concept of the electronic bills of processes (eBOP) which manages product operations and resources. Tecnomatix Intosite allows you to create cloud-based 2D/3D/panoramic representations of a production facility, presented in its geographical context. Tecnomatix Process Designer allows you to associate and reconcile multiple configurations of product bills of material (EBOMs), manufacturing bills of material (MBOMs), and bills of process (BOPs). You can also validate manufacturing planning decisions by using advanced visualization and analytical tools. Tecnomatix Process Simulate is a digital manufacturing solution for manufacturing process verification in a 3D environment. Tecnomatix Unicam and Test Expert products provide Manufacturing Process Management (MPM) solutions for electronics manufacturers. Tessent Silicon Lifecycle Solutions consists of products for IC test and functional monitoring, including best-in-class design-for-test tools and test data analytics, security, debug and in-life monitoring products that help ensure the highest test coverage, accelerate yield ramp and improve quality and reliability across the silicon lifecycle. HES UDIS (Head-End System Universal Device Integration System) is an integrated solution for processing meter data and device events. Valor NPI (new product introductions) brings DFM (design for manufacturability) into PCB layout/design, where issues can be discovered and corrected quickly and inexpensively instead of finding issues after handoff to manufacturing. Valor Parts Library (VPL) connects PCB design to design-for-manufacturing (DFM), speeding up the new product introduction (NPI) process. Comprehensive DFM analysis of a PCB design can be performed using VPL and Valor NPI. VPL enables concurrent engineering for Valor NPI and Xpedition. Veloce hardware-assisted verification system is used for the rapid verification of highly sophisticated, next-generation integrated circuit (IC) designs. VeSys is a suite of wiring and harness design software tools. Visual Elite provides a comprehensive design environment for SoC, ASIC, and FPGA developers and system designers. Visualizer is a debug environment that provides a visual display of data obtained from a variety of simulation (Questa SIM) or emulation (Veloce) products. Xpedition is an innovative PCB design flow application, providing integration from system design definition to manufacturing execution. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/. * Vulnerability CVE-2021-44228 Apache Log4j V2, versions < 2.15.0 do not protect JNDI features (as used in configuration, log messages, and parameters) against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters could execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. CVSS v3.1 Base Score: 10.0 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C CWE: CWE-20: Improper Input Validation * Vulnerability CVE-2021-45046 The fix to address CVE-2021-44228 was incomplete in certain non- default configurations, when the logging configuration uses a non- default Pattern Layout with a Context Lookup (for example, ${ctx:loginId}). This could allow attackers with control over Thread Context Map (MDC) input data to craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments. CVSS v3.1 Base Score: 9.0 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-20: Improper Input Validation ADDITIONAL INFORMATION ====================== This advisory will be updated as more information becomes available. Non-exhaustive List of Products Currently Considered As Not Affected: In particular, the following Siemens products are currently considered as not affected: * Advantage Navigator Software Proxy V5 * Analog/Mixed Signal (AMS) products * APOGEE Insight * Aprisa * Austemper products * CADRA * Calibre products * Catapult products * Cerberus PACE * Comfy * Desigo Insight * Enlighted: eCloud, Safe, Space, Manage in the Cloud, People Counting, Gateways and Sensors * Enlighted Manage (detailed explanation at https://support.enlightedinc.com/hc/en- us/articles/4414353643667-Log4J-Vulnerability) * FIN Framework * HDL Designer Series (HDS) products * HyperLynx * IC Flow (Tanner, Pyxis, LightSuite Photonic Compiler) * inFact products * LOGO! products * ModelSim products * Novigo * Opcenter APS * Opcenter Execution Core (except Opcenter Execution Core Process Automation Control) * Opcenter Execution Discrete * Opcenter Execution Electronics * Opcenter Execution Foundation * Opcenter Execution Medical Device and Diagnostics * Opcenter Execution Pharma * Opcenter Execution Process * Opcenter Execution Semiconductor * Opcenter Research, Development & Laboratory (RD&L) * PADS Standard, Standard Plus, Professional * PartQuest * Polarion * Questa Design Solution products * Questa Formal Verification products * Questa Simulation products (incl. ReqTracer) * Questa Verification IP products * Questa Verification IQ products * Reyrolle products * RUGGEDCOM products * SCALANCE products * SICAM products * SIDRIVE IQ products * SIGUARD PDP * SIMARIS products * SIMATIC products (except for a subset of SIMATIC IPCs) * SIMATIC IT products * SIMOTICS CONNECT 600 * SINAMICS products * SINAMICS MV products * SINUMERIK products * Simcenter FloTHERM PACK and Flomaster * SIMIT Simulation Platform * SIMOTION products * SIPROTEC products * SiPass integrated, versions < V2.80 * SIPORT * Siveillance Control / Siveillance Viewpoint * Siveillance Video * Solido products * Spectrum Power TG * Spectrum Power 3 * Spectrum Power 5 * Teamcenter Requirements Integrator * Teamcenter Visualization * Tecnomatix Unicam and Test Expert products * Tessent products * Valor NPI * Veloce (Veloce, Prototyping System, Certus, VIPR, Software Debug, System Level Analysis, Vista, X-STEP) * Visual Elite products * Visualizer products * Xpedition Valydate As mentioned above, this is an ongoing investigation. Thus, products that are currently considered as not affected may subsequently be considered as affected when additional information becomes available. Errata: The following products were temporarily listed as affected. They were removed after closer investigation showed that they are not affected: * SIMATIC WinCC, all versions (V7.4 was listed as affected in V1.0-V1.1 of the advisory) * LOGO! Soft Comfort (listed as affected in V1.0-V1.2 of the advisory) * Siveillance Viewpoint (listed as affected in V1.2-V1.3 of the advisory) * Connect X200/X300 gateways (listed as affected in V1.5 of the advisory; only the Building Operator Discovery applications are affected, not the gateways themselves) * Teamcenter Requirements Integrator (listed as affected in V1.3-V2.3 of the advisory) Additional Notes: For the impact of the Log4j vulnerabilities to solutions provided by Siemens Mobility and Affiliates please address your local service or sales contact. Note: two additional vulnerabilities were published for Apache Log4j, the impact of which are documented in SSA-501673: https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf (CVE-2021-45105) and SSA-784507: https://cert- portal.siemens.com/productcert/pdf/ssa-784507.pdf (CVE-2021-44832). For more details regarding the Log4j vulnerabilities refer to https://logging.apache.org/log4j/2.x/security.html For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2021-12-13): Publication Date V1.1 (2021-12-15): Added additional (potentially) affected products and additional remediation or mitigation measures; added reference to CVE-2021-45046 and updated mitigations accordingly V1.2 (2021-12-16): Added additional affected products, remediation or mitigation measures, and products under investigation; removed SIMATIC WinCC V7.4 because it is not affected V1.3 (2021-12-17): Added additional affected products, remediation or mitigation measures, and products under investigation; removed LOGO! Soft Comfort because it is not affected; expanded Teamcenter Suite to individual affected applications in Teamcenter; updated information for Desigo CC and Cerberus DMS V1.4 (2021-12-18): Revised severity of CVE-2021-45046 and removed ineffective mitigation measures; added Comfy and Enlighted; added individual Mindsphere applications; removed Siveillance Viewpoint because it is not affected; added a statement regarding Siemens Mobility solutions V1.5 (2021-12-19): Added reference to new SSA-501673 that covers a new Log4j vulnerability (CVE-2021-45105); added remediation for SENTRON powermanager V4; added Connect X200/X300 gateways V1.6 (2021-12-20): Added non-exhaustive list of Siemens products currently not considered as affected; updated information for Industrial Edge Management OS and for SENTRON powermanager; updated impact, mitigation measures and fix release information for EnergyIP Prepay; added remediation for SIGUARD DSA; clarified Building Operator Discovery Applications vs. Connect X200/X300 gateways; added remediation for Advantage Navigator Software Proxy V6; added Advantage Navigator Software Proxy V5 to list of not affected products V1.7 (2021-12-21): Added solution for MindSphere Visual Explorer; added jROS for Spectrum Power, Building Twin - 360° Viewer, and NXpower Monitor; added additional products considered as not affected V1.8 (2021-12-22): Added Simcenter Testlab and Teamcenter Integration for CATIA; added additional products considered as not affected V1.9 (2021-12-23): Added solution for MindSphere Predictive Learning, GMA-Manager, Operation Scheduler, and Siveillance Identity; added SIMATIC IT Report Manager, Simcenter System Simulation Client for Git, Tecnomatix Intosite, Tecnomatix Plant Simulation, and Valor Parts Library; added additional products considered as not affected; updated section "Workarounds and Mitigations" V2.0 (2021-12-27): Added solution for Xpedition Enterprise and IC Packaging; updated information for Geolus Shape Search; added SIMATIC IPCs as under investigation; added additional products considered as not affected V2.1 (2021-12-28): Added SIMATIC IPCs with Adaptec RAID; added additional Tecnomatix products (Process Designer, Process Simulate, RobotExpert, eBOP Manager Server); added reference to new SSA-784507 that covers a new Log4j vulnerability (CVE-2021-44832) V2.2 (2022-01-05): Added solution for Simcenter 3D, and for Tecnomatix eBOP Manager Server V15.0, V16.0.2; added cRSP Operator Client Starter as under investigation; added a note regarding Enlighted Manage V2.3 (2022-01-17): Added solution for SiPass integrated, for Industrial Edge Management OS and App, and for Tecnomatix eBOP Manager Server V16.0.1, V16.1.1, V16.1.2; clarified the impact to cRSP and cRSP Operator Client Starter; added additional products considered as not affected V2.4 (2022-01-28): Added solutions for Teamcenter Active Workspace (AW), Microservices Framework (MSF) and Reporting and Analytics (TcRA); removed Teamcenter Requirements Integrator because it is not affected; added additional products considered as not affected V2.5 (2022-02-08): Added solution for Spectrum Power 4 and 7 (incl. jROS), for Teamcenter Technical Publishing and for Xpedition Enterprise and IC Packaging, versions VX.2.7, VX.2.8, VX.2.10; added additional products considered as not affected V2.6 (2022-03-08): Added or updated solutions for Siveillance Command, Control Pro, Vantage; added solution for Tecnomatix Plant Simulation (installations with TCCS) V2.7 (2022-04-12): Added solution for NX; confirmed that SIMATIC IT Report Manager is not affected; removed section "Products Under Investigation" V2.8 (2022-05-10): Added solution for Capital, COMOS, HES UDIS, Simcenter System Simulation Client for Git, Solid Edge CAM Pro, Solid Edge Wiring and Harness Design, VeSys; updated solution for SIMATIC IPC and SiPass V2.85; EnergyIP Prepay: clarified that fix release V3.8.0.12 is also valid for versions before V3.8 V2.9 (2022-06-14): Added fix for Opcenter Intelligence, Simcenter Amesim and Simcenter System Architect and for all affected version lines of Teamcenter product suite V3.0 (2022-08-09): Updated fix information for COMOS and Desigo CC V5.1 TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. Copyright: Siemens 2022 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmLxo4AACgkQlm7gTEmy ujSDIQ/+LDjjp+JJuq6m4dRVsi8RaUcDOMCpyKfasEWofddE+RWe0X0r/MGU9Fva vwapvY9v4h4h8giPUrIvRSSNNwDBdR1H26aiKD4lnIHS/5nKpbIJmxLb7+mDoOct BYy5/8V+Lpd0BCe7CYZiNJYjLT1DZ2AEDWh8i5Q838xs+DrcrIuODIsXzjLDQkQx cYYZw5DFdWdswDTmEcp7jClVV8f3wIj2ZOjl6MrzL+UCMsXfrxOJQI6YDJ/ll/JM r8CHh60JJOiGeHn/Z6AoQ3XypF8nmIEx3Mf8cSX1apP0sURkWu0DSw/ZlihuDEz6 UDp4kwkJlMKIEp1dY2ONbEBOTI+AdhRQZx7P+vlquhb318lbMB4LIDx2mZPnwwVi abL1qpfYIt8Lt5U6ea2/smDL/x7Lb2GnBivA6x1kcXo0mnQH9QEJOfTxmCGk9fgh O2jbnPWnoYR4Vk94dm0aXKGd/TwAy9nhBamcbOtcdmMWyEMFs/Qb9vUwfiXFCRIE w7g1IMRkO14SkwFaFrGh7Kow6yA2U/5luuHkoi9i3HK+6Chqkx1vYoyTZKOj8eYM zjnIHEhjr5IuNzisoxjSlzC7GWt/NInSXpgT1YubQSZdVHU8MIBLo8imSLo6Uxdm CHZnFgzB+n2YUb+RFBdW+4LrC1yESKFUKZkokBloqmemhQJowbU= =89SK -----END PGP SIGNATURE-----