
- Home
- Operational Updates from Volue
Operational Updates
On this page, you will find important security information from Volue.
OpenSSL Vulnerabilities: CVE-2022-3602 & CVE-2022-3786
We are aware of the two vulnerabilities in OpenSSL - the CVE identifiers are CVE-2022-3602 & CVE-2022-3786.
The vulnerabilities are classified as 8.8 (HIGH) with the potential of crashing the service, which would lead to a denial of service attack, or in some cases a potential remote code execution.
Update 9 November
Current status: Internal investigation is completed.
No exploitable vulnerabilities found in Volue's software. As previously communicated, vulnerable 3rd party components are identified. Volue supports and follows recommendations from 3rd party software vendors regarding mitigating steps related to the Open SSL vulnerabilities.
FME Server
Safe Software has identified that the newer version of FME Server is vulnerable. Our production environment is using an older version of FME Server that is not vulnerable. The vulnerable version in our dev/test environment is temporarily shut down, awaiting a new mitigated version.
ArcGIS Server
Marked as potentially vulnerable and affects software from Power Grid and Infrastructure. ESRI has not released an official statement regarding confirmed vulnerabilities in their software. Volue refers to ESRI's official status page: OpenSSL V3 Vulnerability (esri.com)
Our consultants can be available to assist customers with processes related to updating 3rd party components.
Please contact support@volue.com or see the 3rd party providers statements described in the links above.
OpenSSL Vulnerabilities: CVE-2022-3602 & CVE-2022-3786
We are aware of the two vulnerabilities in OpenSSL - the CVE identifiers are CVE-2022-3602 & CVE-2022-3786.
The vulnerabilities are classified as 8.8 (HIGH) with the potential of crashing the service, which would lead to a denial of service attack, or in some cases a potential remote code execution.
Update 7 November
Current status: Investigation underway. Vulnerable 3rd party components identified
Vulnerable 3rd party components found:
- FME Server – this is now mitigated.
- ArcGIS Server: Pending further information. The current statement from ESRI:
Esri is inventorying our products and systems potentially impacted by the vulnerability. OpenSSL 3.x is not widely utilized in Esri products and online services. If a product is impacted information will be added here. For updates or further information see their full statement.
The following products have completed investigation with no identified vulnerable components:
- Volue Energy (former ProCom)
- Volue Trading Solutions (former Likron)
- Industrial IoT (former Scanmatic)
OpenSSL Vulnerabilities: CVE-2022-3602 & CVE-2022-3786
We are aware of the two vulnerabilities in OpenSSL - the CVE identifiers are CVE-2022-3602 & CVE-2022-3786.
The vulnerabilities are classified as 8.8 (HIGH) with the potential of crashing the service, which would lead to a denial of service attack, or in some cases a potential remote code execution.
Update 4 November
Current status: Investigation underway. Vulnerable 3rd party components identified
Vulnerable 3rd party components found:
- FME Server.
- ArcGIS Server: Pending further information. The current statement from ESRI:
Esri is inventorying our products and systems potentially impacted by the vulnerability. OpenSSL 3.x is not widely utilized in Esri products and online services. If a product is impacted information will be added here. For updates or further information see their full statement.
The following products have completed investigation with no identified vulnerable components:
- Volue Energy (former ProCom)
- Volue Trading Solutions (former Likron)
- Industrial IoT (former Scanmatic)
Log4J: Important Information for Customers
Last updated 21 December 2021 at 17:38 CET: Product summary information about Gebyr (webløsning), Gemini Vannmåler, Gemini Slam, Gemini Renovasjon, Gemini Oppfølging and Gemini Melding added.
Update 18 December
Volue is aware of two new updates in the Log4J vulnerabilities; The attack vector, meaning how an attacker can exploit the vulnerability may now include servers and computers with no internet exposure as well.
The severity for the "second" vulnerability (CVE-2021-45046) was upgraded from 3.7 (LOW) to 9.0 (CRITICAL) as researchers have found a way to execute code and gain control of a vulnerable system. Volue is aware of this and is working on additional mitigating actions.
Additionally, today, a new vulnerability for the Log4J component has been released. We're currently looking into this. The score for the new vulnerability is set to 7.5 (HIGH) and can perform Denial of Service (taking the service down) but cannot be used to take control of the system.
Any additional mitigating actions needed to be done on customer facing systems and the Volue product portfolio due to the new updates, are currently ongoing with high priority.
Below is a list of Volue products and a summary of recommendations and guidelines for mitigations related to each product.
Update 17 December
Information about ArcGIS Enterprise/ ArcGIS Server and Network Collector updated 17 December.
Update 15 December
During the last 24 hours, researchers have discovered that the newly released patch for Apache Log4J that mitigates the critical CVE-2021-44228 was incomplete in certain non-default configurations.
The second vulnerability is rated 3.7 out of a maximum of 10 (which is "Low") on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0. Log4J versions 1.x are not affected by this vulnerability.
According to recent updates, known consequences of the second vulnerability does not include the possibility of taking control of systems or exfiltrate data. However, it may be used to crash Log4J, which may generate a "Denial of Service" attack, basically meaning that the service may go down as a consequence of Log4J crashing.
Upgrades to Log4J version 2.16.0
- If the Log4J upgrades has not been done yet, Log4J version 2.16.0 will be installed instead of 2.15.0 as originally planned.
- If the Log4J upgrades to version 2.15.0 is already done, an upgrade to version 2.16.0 may be planned at a later time or during normal system maintenance
We are also investigating potential impact of a third vulnerability, CVE-2021-4104. This only affects Log4J versions 1.2.x where a class named JMSAppender is actively configured. This is not the default configuration and thus require active enabling of the class. No relevant instances are identified within the Volue Product portfolio.
Prioritised work of mitigating the initial critical vulnerability continues as planned.
Update 14 December
On 9 December, it became widely known that the Apache logging component called Log4j has a critical software vulnerability named Log4Shell.
Over the last few days, Volue has methodically mapped all potentially vulnerable software and components in its portfolio and has taken precautionary actions as well as put in place plans for recommended mitigations for all relevant products.
No security breaches caused by the Log4j vulnerability have been discovered.
(Archived) Updates on the cyberattack on Volue
Update 12 July 2021
- Update on Cyberattack on Volue published including the financial impact. Read the news on volue.com - click here.
Update 23 June 2021
- Postmortem report published. Read the news on volue.com - click here.
Update 17 May 2021
For more information, please contact the Volue support.
Update 16 May 2021
For more information, please contact the Volue support.
Update 15 May 2021
For more information, please contact the Volue support.
Update 14 May 2021
For more information, please contact the Volue support.
Update 13 May 2021
For more information, please contact the Volue support.
Volue Water and Community Oppdatering 12 May 2021 - 13:00 CEST
For mer informasjon, vennligst kontakt Volue support.
Filesharing 11 May 2021 - 16:15 CEST
As the details and consequences of the ransomware attack have increasingly become clear, Volue is ready to continue projects and efforts for and with our customers. We, therefore, want to signalize that we have assessed risks related to sharing of files between Volue and external stakeholders such as customers and partners.
The ransomware Ryuk has targeted parts of Volue’s data and encrypted it with a key. The data itself is not infected but made unreadable after the attack. Due to Office 365 and the security features that were in place on the tenant before the attack, the attackers have not been able to affect files in the tenants for Volue and Powel.
We, therefore, are deeming safe filesharing between Volue employees and our customers. We cannot see risk in any environment, as affected Volue workstations were quarantined after the attack and continue to be so until they are either flushed or replaced by new workstations.
Generally, we always recommend customers and partners to be careful about files being sent, and that receivers ensure that the sender of a file is the, in fact, the person it is thought to be. However, we emphasize that this is not a policy based on any risk of infection from the attack, but a general best practice to decrease the prevalence of phishing attacks from actors that pretend to be someone which they are not.
Update 11 May 2021 - 10:10 CEST
We have conducted daily webinars since last Friday. However, as we have made considerable progress and are starting to deem safe products and customers. This means, today marks the last webcast on the overall situation.
For more information, please contact the Volue support.
Update 10 May 2021 - 10:30 CEST
The next webcast will be held on Tuesday, 11 May, at 9:30 CEST. Register for the daily update webcast here.
For more information, please contact the Volue support.
Update 9 May 2021 - 10:30 CEST
The next webcast will be held on Monday, 10 May, at 9:30 CEST. Register for the daily update webcast here.
For more information, please contact the Volue support.
Update 8 May 2021 - 10:30 CEST
The next webcast will be held on Sonday, 9 May, at 9:30 CEST. Register for the daily update webcast here.
For more information, please contact the Volue support.
Recovery Status 8 May 2021 - 08:00 CEST
Based on these investigations, it appears likely that the vast majority of Powel / Volue portfolio and applications have not been compromised. These investigations are ongoing, but we believe we can say with a high degree of confidence that applications on the list of our Recovery Status page (link removed, Tue, 11 May) are not compromised and as such are considered operational. We will update the list continuously.
GDPR Implications 7 May 2021 - 15:00 CEST
We have uploaded additional information about the ransomware attack on Volue Technology. Please find below additional information about the consequences of the cyberattack against Volue Technology AS and its daughter companies in relation to the General Data Protection:
Regulation (GDPR): English
Regulation (GDPR): Norwegian
Update 7 May 2021 - 11:00 CEST
The ransomware attack on Volue Technology (“Powel”) was caused by Ryuk, a type of malware usually known for targeting large, public-entity Microsoft Windows systems. The Ryuk group is not known for exfiltrating and publicly expose data. Also, they are not known for performing supply chain attacks. Yesterday, we have published technical guidance for our customers on the Urgent Update page on volue.com.
Our operation Stop & Recover continued throughout the day. The highest priority is to assess a cyberattack impact status for Volue Technology’s products and services. We will provide more information on the status on Saturday’s webcast.
A Volue Emergency Team was also immediately established and are now coordinating all our effort internally, and towards our security partners and relevant authorities. In the meantime, we strongly advised our customers to contact the relevant national contact supervisory authorities about the data breach as quickly as possible
Transparency and communication are important for us. In our daily status webcasts, held every morning at 9.30 am followed by a press release, we will inform you about the current situation. The next webcast is streamed on Saturday, 8 May, 9.30 am.
Register for the daily update webcast here.
View todays recorded session here.
For more information, please contact the Volue support.
Technical Guidance 6 May - 22:30 CEST
Can you provide more information about the type of attack?
The ransomware attack on Volue Technology (“Powel”) was caused by Ryuk, a type of malware usually known for targeting large, public-entity Microsoft Windows systems. The Ryuk group is not known for exfiltrating and publicly expose data. They are not known for performing supply chain attacks.
“Ryuk does not have a data exfiltration feature or a dedicated leak website to publish data stolen from their victims” (French National Cybersecurity Agency, page 4).
Which technical guidance do you provide for your customers?
This is an evolving investigation involving security experts and external partners. Though we have some leads, we cannot yet say for certain when the breach occurred, from what vector or the extent of the affected applications and servers. For now, we are recommending measures in addition,
- Monitor for abnormal login activity.
- Look for Indications of Compromise (IOC):
- Files with “.RYK” extension
- Scheduled tasks with random names
- Files named “xxx.exe”
Do you have useful resources about the Ryuk attack you can share with us?
- Information about Ryuk from French National Cybersecurity Agency: click here.
- Statistics about Ryuk attacks: click here.
Update 6 May - 15:30 CEST
Volue ASA was yesterday, 5 May 2021, subject to a cyberattack impacting Volue Technology (“Powel”).
The ransomware attack on Volue Technology (“Powel”) was caused by Ryuk, a type of malware usually known for targeting large, public-entity Microsoft Windows systems.
The attack impacted some of Volue Technology’s front-end customer platforms. All systems impacted by the ransomware attack have been actively shut down for further security assessments. We cannot at this point see any impacts for Insight (“Wattsight”), Market Services (“Markedskraft”), Industrial IoT (“Scanmatic”) and Likron.
Yesterday, we started the operation Stop & Recover. For this operation, we have increased the number of technical and support resources. We are aiming to gain full control over impacted systems and, with regards to GDPR, the nature of the personal data breach including the categories and an approximate number of personal subjects concerned. Moreover, we are investigating the consequences of the breach. However, there is no evidence that customer data has been exploited at this time.
It is strongly advised that our customers contact the relevant national contact supervisory authorities about the data breach as quickly as possible.
Later today, we will publish additional guidance for our customers’ technical teams on the Urgent Update page on volue.com.
Transparency and communication are important for us. We invite you to follow our daily status webcasts. The webcasts will be held every morning at 9.30 am followed by a press release, starting with the first webcast tomorrow.
Link to Webcast: https://volue.zoom.us/webinar/register/WN_mkxx9xa8TXCNhpKKrjYv4Q
For more information, please contact the Volue support and follow this page on volue.com
Update 5 May - 23:30 CEST
Volue ASA was today, 5 May 2021, subject to a cyberattack impacting Volue Technology (“Powel”). At this point, Volue cannot see any impacts by the breach for Insight (“Wattsight”), Market Services (“Markedskraft”), Industrial IoT (“Scanmatic”) and Likron.
The ransomware attack employed encryption to some of Volue Technology’s files, databases and applications. We were able to identify the threat and have stopped the spreading across networks for now.
The attack impacted some of our front-end customer platforms. All systems impacted by the ransomware attack have been actively shut off for further security assessments.
In the first customer update, we recommended changing the password on services delivered by Volue. We want to clarify that this recommendation only applies to customers that have Volue Technology (“Powel”) user accounts which Volue employees can use to remotely access the customer’s systems (e.g. RDP, VPN). These customers are - as a precaution - advised to change the password for such accounts.
We are currently working with external security consultants to handle the incident and will implement additional security measures.
As we believe in transparency, we are here to help and answer your questions. Contact the Volue support and follow the Urgent Update page on volue.com
Update 5 May - 16:50 CEST
We have published a publicly available update about the cyberattack. Click here to read the press release.
In addition to the information already shared with our customers, we added the following:
"Volue Technology’s (“Powel”) operations teams seem to be impacted by the attack. At this point, Volue cannot see any impacts by the breach for Insight (“Wattsight”), Market Services (“Markedskraft”), Industrial IoT (“Scanmatic”) and Likron."
Update 5 May - 15:00 CEST
Volue was today subject to a cyber-attack impacting operation in some of the company´s business areas. Mitigating actions were immediately implemented and currently there seem to be limited impact on front-end customer platforms.
We discovered a cyberattack on parts of Volue. We immediately deployed our cyber task force and initiated mitigating actions. All affected applications were shut down and backup solutions initiated as far as possible. We have been supported by our external data security partners to neutralise the attack. Relevant authorities are informed.
We ask all our customers to immediately log off from potential user accesses they may have towards Volue’s internal servers, in order to avoid any further spreading of the ransomware. For security reasons, we recommend our customers change the password on services delivered by Volue.
Our priority is to ensure safe and uninterrupted operations for you, our customers. Our short-term production capacity will be affected over the next few days, but it’s too early to indicate the operational and financial impact, as well as the timing to resolve the situation.
Volue is doing our utmost to limit the impact on our customers and will continuously provide updates. Information on the cyber-attack will be continuously updated on this page.
Support is available as usual for practical questions related to the use of our solutions.