AVEVA Statement on the Apache Log4j vulnerability CVE-2021-44228

Read the official statement by AVEVA here (registration required)

PROBLEM

Which AVEVA products are affected by critical vulnerability ‘Log4Shell’ in Apache Log4j (CVE-2021-44228)?

NOTE: Guidance below also applies to additional Log4j vulnerabilities CVE-2021-45046 and CVE-2021-45105.

SOLUTION

AVEVA product offers are unaffected by Apache Log4j, except as described below:

Vulnerable

  • AVEVA Historian versions 2017 to SP 2017 Update 3 SP1 P01 are affected through dependency on vulnerable versions of Elasticsearch. AVEVA has found no path for user input to be processed by the Elasticsearch component using vulnerable Log4j, which suggests a lower priority when planning defensive actions. AVEVA suggests either of two corrective actions:
    • Environments not using Historian Insight (since renamed Historian Client Web) can use the Windows Services Management Console to disable the embedded Elasticsearch by stopping and disabling the Wonderware Historian Search service.
    • Update Apache Log4j to version 2.17.1 using instructions in the attached Zip file (TA000032828 Readme Historian Log4j Patch).
  • AVEVA Net Workhub and Dashboard on premise versions 5.1.5 and prior are affected through dependency on vulnerable versions of Accusoft PrizmDoc. AVEVA strongly recommends upgrading to a version of AVEVA Net Workhub and Dashboard that is in mainstream or extended support.

Mitigated

  • AVEVA Historian versions 2020 and higher are unaffected through dependency on mitigated versions of Elasticsearch. See the Elastic security announcement regarding Apache Log4j in the external reference below. Optionally, update Apache Log4j to version 2.17.1 using instructions in the attached Zip file (TA000032828 Readme Historian Log4j Patch).
  • AVEVA Net Workhub and Dashboard cloud offers as well as on premise versions 5.1.6 and higher are unaffected through dependency on mitigated versions of Accusoft PrizmDoc viewer.
  • AVEVA BI Gateway dependency on Tableau Server can be mitigated in accordance with guidance from Salesforce in the external references section below.

NOTE: Security scanners might detect Log4shell exposure in the AVEVA product offers above, even though the configuration is not vulnerable.

Investigation Pending

  • Investigation of AVEVA products not in mainstream or extended support will leverage community reported findings and be periodically incorporated into this Tech Alert. CVE-2021-44228 was introduced into the Apache Log4j codebase in 2013.

Special Circumstance

AVEVA Historian 2014 R2 SP1 P02 and all prior are unaffected due to dependency on versions of Elasticsearch that predate CVE-2021-44228; However, these Elastic versions are no longer supported by Apache. AVEVA strongly recommends upgrading to a version of AVEVA Historian that is in mainstream or extended support.

AVEVA is developing guidance and/or plans for security updates to address subcomponent dependency issues related to Apache Log4j.

AVEVA continues investigating potentially-affected subcomponents in the supply chain for AVEVA product offers, partner integrations, and related websites.

AVEVA recommends customers deploy interim defensive measures in accordance with CISA recommendations below to help thwart Log4j vulnerability exploitation.

ADDITIONAL INFORMATION

This article pertains to all AVEVA products and will be updated as necessary.
Reference:

External References: