Read the official statement by AVEVA here (registration required)
*Blog has been updated with additional detail. Last update: 02 February 2022
PROBLEM
Which AVEVA products are affected by critical vulnerability ‘Log4Shell’ in Apache Log4j (CVE-2021-44228)?
NOTE: Guidance below also applies to additional Log4j vulnerabilities CVE-2021-45046 and CVE-2021-45105.
SOLUTION
AVEVA product offers are unaffected by Apache Log4j, except as described below:
Vulnerable
- AVEVA Historian versions 2017 to SP 2017 Update 3 SP1 P01 are affected through dependency on vulnerable versions of Elasticsearch. AVEVA has found no path for user input to be processed by the Elasticsearch component using vulnerable Log4j, which suggests a lower priority when planning defensive actions. AVEVA suggests either of two corrective actions:
- Environments not using Historian Insight (since renamed Historian Client Web) can use the Windows Services Management Console to disable the embedded Elasticsearch by stopping and disabling the Wonderware Historian Search service.
- Update Apache Log4j to version 2.17.1 using instructions in the attached Zip file (TA000032828 Readme Historian Log4j Patch).
- AVEVA Net Workhub and Dashboard on premise versions 5.1.5 and prior are affected through dependency on vulnerable versions of Accusoft PrizmDoc. AVEVA strongly recommends upgrading to a version of AVEVA Net Workhub and Dashboard that is in mainstream or extended support.
Mitigated
- AVEVA Historian versions 2020 and higher are unaffected through dependency on mitigated versions of Elasticsearch. See the Elastic security announcement regarding Apache Log4j in the external reference below. Optionally, update Apache Log4j to version 2.17.1 using instructions in the attached Zip file (TA000032828 Readme Historian Log4j Patch).
- AVEVA Net Workhub and Dashboard cloud offers as well as on premise versions 5.1.6 and higher are unaffected through dependency on mitigated versions of Accusoft PrizmDoc viewer.
- AVEVA BI Gateway dependency on Tableau Server can be patched by downloading OEM version 2021.4.2 from AVEVA or in accordance with guidance from Salesforce in the external references section below.
NOTE: Security scanners might detect Log4shell exposure in the AVEVA product offers above, even though the configuration is not vulnerable.
Investigation Pending
- Investigation of AVEVA products not in mainstream or extended support will leverage community reported findings and be periodically incorporated into this Tech Alert. CVE-2021-44228 was introduced into the Apache Log4j codebase in 2013.
Special Circumstance
- AVEVA Historian 2014 R2 SP1 P02 and all prior are unaffected due to dependency on versions of Elasticsearch that predate CVE-2021-44228; However, these Elastic versions are no longer supported by Apache. AVEVA strongly recommends upgrading to a version of AVEVA Historian that is in mainstream or extended support.
AVEVA is developing guidance and/or plans for security updates to address subcomponent dependency issues related to Apache Log4j.
AVEVA continues investigating potentially-affected subcomponents in the supply chain for AVEVA product offers, partner integrations, and related websites.
AVEVA recommends customers deploy interim defensive measures in accordance with CISA recommendations below to help thwart Log4j vulnerability exploitation.
ADDITIONAL INFORMATION
This article pertains to all AVEVA products and will be updated as necessary.
Reference:
- Investigation CR-125798 and the original AVEVA notification: AVEVA Statement on the Apache Log4j vulnerably CVE-2021-44228
External References:
- General guidance from the Cyber Security Infrastructure Security Agency (CISA): Apache Log4j Vulnerability Guidance
- Tableau Server mitigations for existing releases:
- ESA-2021-31 – Elastic Security Announcement regarding, Apache Log4j2 CVE-2021-4428: Apache Log4j2 Remote Code Execution (RCE) Vulnerability – CVE-2021-44228 – ESA-2021-31 – Announcements / Security Announcements – Discuss the Elastic Stack
- Accusoft announcement on Log4j impacts to PrizmDoc: https://www.accusoft.com/support/apache-log4j-vulnerability/
For any questions or additional information, please contact our Support Center HERE