CVE-2021-44228 — CRITICAL (10.0)

Q: How severe is CVE-2021-44228?

CVE-2021-44228 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2021-44228?

Check the references section above for vendor advisories and patch information. Affected products include: Siemens 6Bk1602-0Aa12-0Tp0 Firmware, Siemens 6Bk1602-0Aa12-0Tp0, Siemens 6Bk1602-0Aa22-0Tp0 Firmware, Siemens 6Bk1602-0Aa22-0Tp0, Siemens 6Bk1602-0Aa32-0Tp0 Firmware.

Vulnerability Description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Siemens	6Bk1602-0Aa12-0Tp0 Firmware	< 2.7.0
Siemens	6Bk1602-0Aa12-0Tp0	-
Siemens	6Bk1602-0Aa22-0Tp0 Firmware	< 2.7.0
Siemens	6Bk1602-0Aa22-0Tp0	-
Siemens	6Bk1602-0Aa32-0Tp0 Firmware	< 2.7.0
Siemens	6Bk1602-0Aa32-0Tp0	-
Siemens	6Bk1602-0Aa42-0Tp0 Firmware	< 2.7.0
Siemens	6Bk1602-0Aa42-0Tp0	-
Siemens	6Bk1602-0Aa52-0Tp0 Firmware	< 2.7.0
Siemens	6Bk1602-0Aa52-0Tp0	-
Apache	Log4J	>= 2.0.1, < 2.3.1
Siemens	Sppa-T3000 Ses3000 Firmware	All versions
Siemens	Sppa-T3000 Ses3000	-
Siemens	Capital	< 2019.1
Siemens	Comos	< 10.4.2
Siemens	Desigo Cc Advanced Reports	3.0
Siemens	Desigo Cc Info Center	5.0
Siemens	E-Car Operation Center	< 2021-12-13
Siemens	Energy Engage	3.1
Siemens	Energyip	8.5

Related Weaknesses (CWE)

CWE-20 CWE-917 CWE-502 CWE-400

References

http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-ExeThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.hThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-DisExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-ExeExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.htmlThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.htmlThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.htmThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-BypThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.htmlBroken LinkThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4ExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.htmlExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-UnauthenticateExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/165673/UniFi-Network-Application-UnauthentiExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Third Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-ExploitThird Party AdvisoryVDB Entry

FAQ

What is CVE-2021-44228?

CVE-2021-44228 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker control...

How severe is CVE-2021-44228?

CVE-2021-44228 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-44228?

Check the references section above for vendor advisories and patch information. Affected products include: Siemens 6Bk1602-0Aa12-0Tp0 Firmware, Siemens 6Bk1602-0Aa12-0Tp0, Siemens 6Bk1602-0Aa22-0Tp0 Firmware, Siemens 6Bk1602-0Aa22-0Tp0, Siemens 6Bk1602-0Aa32-0Tp0 Firmware.