"Several Siemens products used for process and network control and monitoring in critical infrastructure sectors are affected by four vulnerabilities in the company's OpenSSL cryptographic software library.The vulnerabilities – CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470 – can be exploited remotely, and fairly easily, to hijack a session as part of a man-in-the-middle attack or to crash the web server of the product, according to a Thursday ICS-CERT post. Siemens has already issued updates for APE versions prior to version 2.0.2 and WinCC OA (PVSS), but has only issued temporary mitigations for CP1543-1, ROX 1, ROX 2, and S7-1500.
The products are typically used in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors, according to the post.
so this is how one cares about critical infrastructure ? and this by an enormous big firm with all the resources at its disposal to find remedies in time if it wanted to ?
and so this is only launched last week and with only temporary mitigations for some other installations ? what does that mean for a critical installation ?
in fact it means that critical installations shouldn't have internet connections if they are really critical and if our lives or health depend on it
and secondly that if you install software or hardware in such critical environments you don't use untested products like openssl (all the 10 year old bugs that are being found now weren't tested in all these years contrary to the popular myth that code is better when it is opensourced because more people are looking at the code)