On 2021-12-09, a vulnerability in Apache Log4j (a logging tool used in many Java-based applications)
was disclosed, that could allow remote unauthenticated attackers to execute code on vulnerable systems.
The vulnerability is tracked by Siemens as CVE-2021-44228 and is also known as \u201cLog4Shell\u201d.<\/p>\n\n\n\n
On 2021-12-14 an additional denial of service vulnerability (CVE-2021-45046) was published rendering
the initial mitigations and fix in version 2.15.0 as incomplete under certain non-default configurations.
Log4j versions 2.16.0 and 2.12.2 are supposed to fix both vulnerabilities.<\/p>\n\n\n\n
On 2021-12-17, CVE-2021-45046 was reclassified with an increased CVSS base score (from 3.7 to 9.0).
The potential impact of CVE-2021-45046 now includes – besides denial of service – also information
disclosure and local (and potential remote) code execution.<\/p>\n\n\n\n
Siemens is currently investigating to determine which products are affected and is continuously updating
this advisory as more information becomes available.<\/p>\n\n\n\n