Pilz Hardware And Software Not Affected By "Log4Shell" Vulnerability In Software Library Log4j | 您所在的位置:网站首页 › ABB Library › Pilz Hardware And Software Not Affected By "Log4Shell" Vulnerability In Software Library Log4j |
December 17, 2021
Dear Madam or Sir,
On December 10th, 2021, the BSI (the German Federal Office for Information Security) published a cyber security alert on the so-called “Log4Shell” vulnerability in the software library Log4j. Log4j is used in many Java applications. From the BSI alert: “An IT security vendor blog [LUN2021] reports on vulnerability CVE-2021-44228 [MIT2021] in log4j versions 2.0 through 2.14.1, which may allow attackers to execute their own program code on the target system and thus compromise the server.” ••https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549177-1032.pdf
Further information is available at: ••https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Webanwendungen/log4j/log4j_node.html ••https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance (in English)
Pilz’s analysis revealed the following: ••Pilz hardware components do not use Java and thus no log4j. Therefore, these components are not affected. ••Pilz Software products partially use log4j versions 2.0 to 2.14.1 (current vulnerability CVE-2021-44228). Analyses to date have shown that it is highly unlikely that the vulnerability can be exploited. If, contrary to expectations, there is a risk, we will publish a security advisory. ••In some Pilz Software products, log4j version 1.2.x is used. The exploitation of the vulnerability in this version (CVE 2021-4104) requires, among other things, a specific configuration. However, this configuration is not used in Pilz Software products.
We hope this information is helpful to you. If you have any further questions, please contact our technical support:[email protected]. With best regards Pilz GmbH & Co. KG
Source
|
CopyRight 2018-2019 实验室设备网 版权所有 |