It seems almost all the Siemens products are affected by Log4j vulnerability as Siemens uses Java in most of their industrial products. For most of the products no remediation is available and there has been some workarounds and suggested but this might not work well according to the latest update on the Apache Log4j vulnerability. The best way to prevent intrusion is to update your web application firewall rules and block incoming and external traffic to the apps hosted on these servers. (As on Dec15th)
| Product | Versions | Status | Patched/Fixed |
|---|---|---|---|
| Capital | All > 2019.1 SP1912 | Vulnerable | Not Patched |
| Cosmos Desktop App | All versions | Vulnerable | Not Patched |
| Desigo CC Advanced Reporting | V4.0, V4.1, V4.2, V5.0, V5.1 | Vulnerable | Not Patched |
| Desigo CC Info Center | V5.0, V5.1 | Vulnerable | Not Patched |
| E-Car OC Cloud Application | All version < Dec13th | Vulnerable | Fixed |
| EnergyIP Prepay | V3.7, V3.8 | Vulnerable | Fixed |
| GMA-Manager | All versions > V8.6.2j-398 | Vulnerable | Not Patched |
| HES UDIS | All versions | Vulnerable | Not Patched |
| Industrial Edge Management App | All versions | Vulnerable | Not Patched |
| Industrial Edge Management OS | All versions | Vulnerable | Not Patched |
| Industrial Edge Manangement Hub | All versions | Vulnerable | Fixed |
| LOGO! Soft Comfort | All versions | Vulnerable | Not Patched |
| Mendix Applications | All versions | Vulnerable | Not Patched |
| Mindsphere Cloud Application | All versions < Dec11th | Vulnerable | Fixed |
| NX | All versions | Vulnerable | Not Patched |
| Opcenter Intelligence | All versions > 3.2 | Vulnerable | Not Patched |
| Operation Scheduler | All versions >= V1.1.3 | Vulnerable | Not Patched |
| SIGUARD DSA | V4.2, V4.3, V4.4 | Vulnerable | Not Patched |
| SIMATIC WinCC V7.4 | All versions < V7.4 SP1 | Vulnerable | Not Patched |
| SiPass integrated V2.80 | All versions | Vulnerable | Not Patched |
| SiPass integrated V2.85 | All versions | Vulnerable | Not Patched |
| Siveillance Command | All versions | Vulnerable | Not Patched |
| Siveillance Control Pro | All versions | Vulnerable | Fixed |
| Siveillance Identity V1.5 | All versions | Vulnerable | Not patched |
| Siveillance Identity V1.6 | All versions | Vulnerable | Not patched |
| Siveillance Vantage | All versions | Vulnerable | Not patched |
| Solid Edge Wiring Harness Design | All versions >= 2020 SP2002 | Vulnerable | Not patched |
| Spectrum Power™ 4 | All versions only with jROS | Vulnerable | Fixed |
| Spectrum Power™ 7 | All versions < V2.30 with jROS | Vulnerable | Fixed |
| Spectrum Power™ 7 | All versions >= V2.30 SP2 | Vulnerable | Fixed |
| Teamcenter Suite | All versions | Vulnerable | Not patched |
| VeSys | All versions | Vulnerable | Not patched |
| Xpedition EDM Client | All versions | Vulnerable | Not patched |
| Xpedition EDM Server | All versions | Vulnerable | Not patched |
| Xpedition Package Integrator | All versions | Vulnerable | Not patched |
Firewall Mitigation:
If you are using any of the Siemens products above then the best mitigation is put firewall rules that blocks any incoming as well as outgoing connections from the servers and apps that host these apps. (This has been also suggested by Siemens)