« All blog posts

Log4Shell Attack Exploit

16.12.2021


(The original article was written in 13.12.2021; updated on 14.12, 16.12 and 20.12.)

An extremely severe Zero-day security issue CVE-2021-44228 was discovered on December 10 in the Java logging library, log4j v2.x.

Apache released log4j version 2.15.0 to fix the issue. They also published ways to mitigate the issue in earlier log4j versions, in case you cannot update them.

UPDATE(16.12.2021): Apache released log4j version 2.16.0 earlier this week to further limit the possibilities for additional vulnerabilities and finally another issue, CVE-2021-45046 was discovered on December 14. Turned out that log4j 2.16.0 also fixes this issue.

UPDATE(20.12.2021): Apache released log4j2 version 2.17.0. It fixes CVE-2021-45105, however, our own applications are NOT affected, since we do NOT use Context Lookups in our PatternLayout the application creates on first startup.

We have been identifying the vulnerability and how it affects our Java-based OPC UA products and released updates to them accordingly. Please, find the details below.

Prosys OPC UA products affected

The vulnerability affects directly

The server applications log by default values that are client-controlled, thus are affected by the attack.

The vulnerability can affect

This is assuming they would connect to a specially crafted server that would send data that gets logged and triggers the vulnerability in the logger.

Not directly affected

Only affected if you have used log4j version 2.x (log4j2) as your logging library of choice. The SDK has used SLF4J since version 2.x. SLF4J can be directed to log4j2, but that configuration is done on the application level (as is done in our end-user products).

The SDK sample applications also use log4j1, which is compatible with Java 6.

The SDK version 1.x was using log4j version 1 (log4j1) directly.

Log4j1 is NOT affected by Log4Shell.

UPDATE(16.12.2021): Since here are other known vulnerabilities in log4j1, we recommend to update to the latest log4j2 wherever possible. Please, see more details about these in our forum.

For users of SDK 1.x we recommend to update to the latest version of the SDK (first to 3.x and then to 4.x), if possible.

For users of SDK 1.x we recommend to update to the latest version of the SDK (first to 3.x and then to 4.x), if possible.

Not affected

UPDATE (14.12.2021): These products are not affected by the issue since they are not Java-based and therefore they don’t include log4j:

Fixed products

UPDATE (16.12.2021): Updated the list with the versions that include log4j version 2.16.0.

More security information

You will find the currently announced security issues in Prosys OPC products from the blog under the #Security tag.

You might also like to read about the OPC UA Security Process of the OPC Foundation.

Bjarne Boström

Bjarne Boström

Software Engineer

Email: bjarne.bostrom@prosysopc.com

Expertise and responsibility areas: OPC UA product development and project work

Tags: OPC UA, Security

comments powered by Disqus

About Prosys OPC Ltd

Prosys OPC is a leading provider of professional OPC software and services with over 20 years of experience in the field. OPC and OPC UA (Unified Architecture) are communications standards used especially by industrial and high-tech companies.

Read more about us »

Newest blog posts

Update to importing Information Models, December 2021

Updates to the blog post on importing Information Models from NodeSet files

OPC UA Manufacturing Gateway Demo

OPC UA Manufacturing Gateway features OPC UA PubSub UDP and MQTT as well as OPC UA Process Automation Device Information Model (PA-DIM)

Log4Shell Attack Exploit

Security vulnerability in Java based OPC UA applications. (UPDATED 20.12.2021)

View all blog posts »