Log4j Vulnerability CVE-2021-44228
Posted by Phil Reed on 16 December 2021 10:18 AM
Log4Shell Vulnerability CVE-2021-44228 - Response from Schneider Electric|
Schneider Electric is aware of the vulnerability known as Log4Shell impacting Apache Log4j, an open-source code project frequently used by applications and services from a variety of vendors. Our cybersecurity team is actively investigating its potential impact on Schneider Electric offers.
In the meantime, customers should immediately ensure they have implemented cybersecurity best practices across their operations to protect themselves from the exploitation of this vulnerability. Where appropriate, this includes locating their systems and remotely accessible devices behind firewalls; installing physical controls to prevent unauthorized access; preventing mission-critical systems and devices from being accessed from outside networks; more information can be found in the Schneider Electric Recommended Cybersecurity Best Practices document.
I recommend you register for Cybersecurity notification at: https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp
There you will find more information on CVE-2021-44228
EcoStruxure IT Gateway and IT Expert
Log4j is a standard logging library used by many Java applications, including the EcoStruxure IT Expert and IT Gateway.
EcoStruxure IT Gateway
A new EcoStruxure IT Gateway version (126.96.36.199) containing log4j version 2.16 is now available. We strongly encourage all customers to upgrade.
EcoStruxure IT Gateway versions 1.5.0 to 1.13.0 contain the affected versions of the library and may be susceptible to remote code execution as described in CVE-2021-44228. It is still unclear if or how an exploit of log4j in the EcoStruxure IT Gateway is possible. Earlier EcoStruxure IT Gateway versions (1.4.3 and earlier) do not contain an impacted version of log4j.
EcoStruxure IT Expert
The cloud-based EcoStruxure IT Expert has already been updated with log4j version 2.15, which includes a fix for CVE-2021-44228. A newer and further hardened version of log4j, version 2.16, has just been released and will be implemented shortly.