Skip to main content
C
ChastainBruce1-Visitor
1-Visitor
December 22, 2021
Solved

log4j on Creo Parametric - not using Creo product insight extension?

  • December 22, 2021
  • 1 reply
  • 1755 views
Hi,

We don't use the "Creo Product Insight" extension, nor do we have a license for it, are we at risk with the log4j vulnerability? Seems to me if we don't use the extension then the java code won't be ran, and no one can log in and therefor can't do any remote code or anything. Are we at risk considering this, do we need to remove the mentioned jar files? This is for Creo 5.0.4.0

Bruce
    Best answer by MarkFahlbeck

    Hello,

     

    As noted in the following articles, it is recommended to remove the JAR file to mitigate any potential log4j 1.x risks:

    https://www.ptc.com/en/support/article/CS359127

    https://www.ptc.com/en/support/article/CS000359361

     

    The 1.x log4j vulnerabilities are different in nature than the 2.x vulnerabilities, and not a full 1/10 on severity scale.  However, this simple step will ensure there are no users are accidentally exposed to these vulnerabilities if in case they somehow get curious and explore the JAR files, or perhaps even request a trial or Creo Product Insight and explore functionality.

     

    There are links to the 1.x CVEs in the article above that may be referred to in order to better understand the vulnerabilities and asses the risks with leaving the files in place.

     

    Forward looking information: Creo 8.0.3.0, which should release within 1-2 weeks, will be updated to latest log4j.  This is tentatively planned for implementation in 7.0.7.0 when it is released in next few weeks as well,

    1 reply

    C
    ChastainBruce1-VisitorAuthor
    1-Visitor
    December 22, 2021

    Sorry I think this should maybe be under the Administration sub forum, maybe someone with the rights can move it?

    M
    MarkFahlbeck21-Topaz IIAnswer
    21-Topaz II
    December 22, 2021

    Hello,

     

    As noted in the following articles, it is recommended to remove the JAR file to mitigate any potential log4j 1.x risks:

    https://www.ptc.com/en/support/article/CS359127

    https://www.ptc.com/en/support/article/CS000359361

     

    The 1.x log4j vulnerabilities are different in nature than the 2.x vulnerabilities, and not a full 1/10 on severity scale.  However, this simple step will ensure there are no users are accidentally exposed to these vulnerabilities if in case they somehow get curious and explore the JAR files, or perhaps even request a trial or Creo Product Insight and explore functionality.

     

    There are links to the 1.x CVEs in the article above that may be referred to in order to better understand the vulnerabilities and asses the risks with leaving the files in place.

     

    Forward looking information: Creo 8.0.3.0, which should release within 1-2 weeks, will be updated to latest log4j.  This is tentatively planned for implementation in 7.0.7.0 when it is released in next few weeks as well,

      V
      24-Ruby III
      VladimirN24-Ruby III
      24-Ruby III
      December 23, 2021

       Hi Mark,

       

      Thanks for the detailed answer.

      Terms & ConditionsCookie settingsAccessibility statement