Bulletins

On 2021-12-09, a vulnerability in Apache Log4j (a logging tool used in many Java-based applications) was disclosed, that could allow remote unauthenticated attackers to execute code on vulnerable systems. The vulnerability is tracked as CVE-2021-44228 and is also known as “Log4Shell”. Siemens is currently investigating to determine which products are …

The TCP/IP stack and related services (FTP, TFTP) of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS) contain several vulnerabilities, also known as “NUCLEUS:13” and as documented below. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends countermeasures …

Multiple vulnerabilities (also known as “NUCLEUS:13”) have be identified in the Nucleus RTOS (real-time operating system) and reported in the Siemens Security Advisory SSA-044112: https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf. The products listed below use affected versions of the Nucleus software and inherently contain these vulnerabilities. Siemens recommends specific countermeasures for products where updates are …

SIMATIC RTLS Locating Manager before V2.12 contains multiple vulnerabilities that could allow an attacker to read sensitive data or trigger a denial-of-service condition of the application service. Siemens has released an update for the SIMATIC RTLS Locating Manager and recommends to update to the latest version.

Siemens NX is affected by two vulnerabilities that could be triggered when the application reads OBJ files. If a user is tricked to open a malicious file with the affected application, this could lead to an access violation, and potentially also to arbitrary code execution on the target host system. …

Applications built with affected versions of Mendix Studio Pro do not prevent file documents from being cached when files are opened or downloaded using a browser. This could allow a local attacker to read those documents by exploring the browser cache. Mendix has released updates for the affected product lines, …

SENTRON powermanager V3 is affected by a vulnerability that could allow a local attacker to inject arbitrary code and escalate privileges. Siemens has released a security patch for SENTRON powermanager V3.6 HF1 and recommends to update to the latest version and apply this patch.