2021-12-17 Vulnerability of Log4j

Vulnerability Description

General

The vulnerability tracked as CVE-2021-44228 and also known as “Log4Shell” was disclosed in Apache Log4j component. Log4j is a popular logging tool used in many Java-based applications.
The disclosed vulnerability could allow remote unauthenticated attackers to execute code on vulnerable systems. More details regarding the Log4j vulnerabilities are provided by https://logging.apache.org/log4j/2.x/security.html.

This advisory intends to evaluate how Log4j vulnerability affects the products provided by Hilscher.

Hilscher's Statement on Log4j vulnerability

Hilscher devices based on EC1 and netX are not affected by Log4j vulnerability because these do not use Java in general and do not use this particular Log4j component.

Following Hilscher product lines are not affected:

• CIF, COM, cifX, comX, netX, netIC, netJACK, netRAPID, netTAP, netHOST, netSWITCH, netLINK MPI & Proxy, netFIELD Device, Smartwire Gateways

The Hilscher netX/cifX toolkit and CIF / CifX device drivers as well as supplementary tools (cifX Setup, cifX Test) are not affected.

Hilscher PC tools for device / network configuration are not using Java and not using log4j and are not affected:

• Sycon32, Sycon.net,
• Communication Studio,
• DTM Library, DeviceLibrary
• netHOST Tool,
• Ethernet Device Configuration
• netX Configuration Tool
• DeviceExplorer

Following Hilscher products are not based on Java and are not affected:

• netANALYZER
• netFIELD.io / netFIELD CLOUD
• netFIELD Device Manager
• netFIELD App PROFINET / EtherCAT Tap
• netFIELD App PROFINET Device
• netFIELD App Platform Connector
• netFIELD App OPC UA Client
• netFIELD App Edge Monitor

The netX Studio CDT IDE is not affected by the Log4j vulnerability. Log4j is not used directly by any of the netX Studio CDT components developed by Hilscher. The netX Studio CDT IDE is bundled with Log4j version 1.2.15 as an indirect dependency of the Eclipse JGit and Eclipse CDT components which are not vulnerable (see official statement from the Eclipse Foundation - https://wiki.eclipse.org/Eclipse_and_log4j2_vulnerability_(CVE-2021-44228)).

This advisory will be updated as more information becomes available.

Disclaimer

The security advisory and information contained herein, are provided on an "as is" basis and do not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. The information in this advisory should not be construed as a commitment by Hilscher. In no event shall Hilscher be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, nor shall Hilscher be liable for incidental or consequential damages arising from use of any software or hardware described in this advisory.
Hilscher provides no warranty, express or implied, for the information contained in this document, and assumes no responsibility for the information contained in this document or for any errors that may appear in this document. Your use of the advisory and information contained herein, or materials linked from the advisory, is at your own risk.  Information in this advisory and any related communications is based on our knowledge at the time of publication and is subject to change without notice. Hilscher reserves the right to change or update advisories at any time.