To: Universal Robots Customers
From: Universal Robots
Date: 17th December 2021
Subject: Cybersecurity: CVE-2021-44228 aka. Log4Shell

Universal Robots takes cybersecurity very seriously. 

Earlier this month it was discovered that the Apache Log4j component used for logging messages from a running application can potentially allow an attacker to load arbitrary code from a remote location and have it executed on a vulnerable host. This Log4j issue is known as the Log4Shell vulnerability. 

Log4j is used very widely in applications throughout the world. This is true for all versions of CB3 and e-Series cobots released until now. 

Certain circumstances are required for this vulnerability to be exploited. These circumstances are generally not present when using UR cobots.  

Log4Shell is a manageable risk for integrators and users. But for extra peace of mind, a fix has been released in the 5.11.7/3.15.6 software update to address the Log4Shell vulnerability. This update is available on the Support Site for both CB3 and e-Series cobots. 

You should be aware that: 

• Remote exploitation of the Log4Shell vulnerability requires your cobot to be accessible for incoming connections from the Internet. This is typically prevented by the company’s firewall. 

• UR cobots accessible from a LAN may be vulnerable to attacks coming from this network only. Therefore, as always, keep your network secure. 

Cobots from Universal Robots are not designed to be accessible for direct inbound access from the Internet. Security of your network is essential to the security of your cobot. The cybersecurity features of UR cobots, together with your own network security, will protect your cobots. 

We strive to improve cybersecurity continuously and therefore we recommend always using the latest software version which is available via our website.  

Instructions for protecting your e-Series cobots 

If used correctly, the cybersecurity features available in software versions starting from SW 5.10.0 will protect your e-Series cobot from network Log4Shell vulnerabilities. 

Cybersecurity functionality is accessible via the menu (also known as the burger menu) at the top right corner of PolyScope. Tab the menu and select Settings 

The first line of defense, if not done already, is to change the factory default Admin password. On the Settings screen, select the Password > Admin tab: 

Enter the current password (‘easybot’ per factory default), enter a new password of your own choice twice, and tab the Apply button. Remember your password! 

You now need to configure the cybersecurity settings. On the Settings screen, select the Security tab. Unlock this by entering your Admin password (the one you just set) at the bottom of the screen. You are now able to access the three tabs of security settings (General, Secure Shell, and Services): 

The ideal security setup depends on your application. You’ll find all the functionality needed to protect your cobot on the three Security tabs.  

Specifically, in relation to Log4Shell, limit the access to the Dashboard Server interface: 

• Some applications don’t use this interface at all, so disable it on the Services tab. 

• Applications using the Dashboard Server interface can strengthen security by limiting the access to this interface to a specific host or subnet. Go to the General tab to limit access to the Dashboard Server.  

• Advanced users can configure SSH to setup an authenticated and encrypted connection to specific interfaces by using SSH tunneling. 

To ease integration of UR cobots, the default settings keep most interfaces open. As a general precaution and to protect against cybersecurity attacks in general, familiarize yourself with the security features and consider all options for tightening security in your applications. 

Universal Robots tech support will guide and assist in matters relating to Log4Shell and cybersecurity in general.