Apache Log4J

[BobLfoot]

IT will be making more and more news that the Apache Logging Unit - LogShell ot Log4J2 has a major remote access vulnerability.  This is a widely used subsystem and so I am posting what I've been able to garner about affected automation products here and hope others post factual not anecdotal evidence here as well.

Aveva Wonderware - https://wonderwarenorth.com/tech-alerts/Tech%20Alert%20-%20Apache%20Log4j.pdf

Rockwell Automation - https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1133605/loc/en_US#__highlight

GE Proficy - https://digitalsupport.ge.com/communities/servlet/fileField?retURL=%2Fcommunities%2Fapex%2FKnowledgeDetail%3Fid%3DkA28a000000bzlgCAA%26lang%3Den_US%26Type%3DArticle__kav&entityId=ka28a000000c3DPAAY&field=File_1__Body__s

[pturmel]

The Ignition SCADA platform from Inductive Automation is completely unaffected:

https://forum.inductiveautomation.com/t/apache-log4j-vulnerability-cve-2021-44228/54050

Most third-party plug-in providers have announced that their modules are unaffected (like mine).

(The Ignition SDK for third parties provides logging through their infrastructure, so it would have to be a particularly brain-dead developer involved.)