CVE-2021-45046 - Siemens Simatic Wincc, Intel System Debugger and Intel Secure Device Onboard
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Affected software
Siemens Simatic Wincc
Intel System Debugger
Intel Secure Device Onboard
Intel Oneapi
Siemens Siveillance Vantage
Fedoraproject Fedora
Siemens Siveillance Command
Siemens Industrial Edge Management
Siemens Gma-manager
Apache Log4j
Netapp Cloud Insights Acquisition Unit
Siemens Xpedition Package Integrator
Siemens Siveillance Control
Siemens Siveillance Identity
Netapp Cloud Manager
Siemens Head-end System Universal Device Integration System
Siemens Mindsphere
Siemens Nx
Siemens Opcenter Intelligence
Siemens Mendix
Netapp Cloud Secure Agent
Netapp Oncommand Insight
Siemens Vesys
Netapp Snapcenter
Siemens Energyip Prepay
Intel Audio Development Kit
Siemens Sipass Integrated
Siemens Operation Scheduler
Netapp Ontap Tools
Debian Debian Linux
Siemens Logo\! Soft Comfort
Siemens Spectrum Power 4
Intel Datacenter Manager
Siemens Spectrum Power 7
Reference links
- http://www.openwall.com/lists/oss-security/2021/12/14/4
- https://logging.apache.org/log4j/2.x/security.html
- https://www.cve.org/CVERecord?id=CVE-2021-44228
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
- http://www.openwall.com/lists/oss-security/2021/12/15/1
- https://security.netapp.com/advisory/ntap-20211215-0001/