cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Did you get called away in the middle of writing a post? Don't worry you can find your unfinished post later in the Drafts section of your profile page. X

log4j on Creo Parametric - not using Creo product insight extension?

Go to solution
ChastainBruce
4-Participant
4-Participant
‎Dec 22, 2021 03:37 PM
‎Dec 22, 2021 03:37 PM

log4j on Creo Parametric - not using Creo product insight extension?

Hi,

We don't use the "Creo Product Insight" extension, nor do we have a license for it, are we at risk with the log4j vulnerability? Seems to me if we don't use the extension then the java code won't be ran, and no one can log in and therefor can't do any remote code or anything. Are we at risk considering this, do we need to remove the mentioned jar files? This is for Creo 5.0.4.0

Bruce
0 Kudos
Notify Moderator
1 ACCEPTED SOLUTION

Accepted Solutions
MarkFahlbeck
21-Topaz I
21-Topaz I
(To:ChastainBruce)
‎Dec 22, 2021 04:44 PM
‎Dec 22, 2021 04:44 PM

Hello,

 

As noted in the following articles, it is recommended to remove the JAR file to mitigate any potential log4j 1.x risks:

https://www.ptc.com/en/support/article/CS359127

https://www.ptc.com/en/support/article/CS000359361

 

The 1.x log4j vulnerabilities are different in nature than the 2.x vulnerabilities, and not a full 1/10 on severity scale.  However, this simple step will ensure there are no users are accidentally exposed to these vulnerabilities if in case they somehow get curious and explore the JAR files, or perhaps even request a trial or Creo Product Insight and explore functionality.

 

There are links to the 1.x CVEs in the article above that may be referred to in order to better understand the vulnerabilities and asses the risks with leaving the files in place.

 

Forward looking information: Creo 8.0.3.0, which should release within 1-2 weeks, will be updated to latest log4j.  This is tentatively planned for implementation in 7.0.7.0 when it is released in next few weeks as well,


Mark Fahlbeck

View solution in original post

Notify Moderator
4 REPLIES 4
ChastainBruce
4-Participant
4-Participant
(To:ChastainBruce)
‎Dec 22, 2021 03:40 PM
‎Dec 22, 2021 03:40 PM

Sorry I think this should maybe be under the Administration sub forum, maybe someone with the rights can move it?

0 Kudos
Notify Moderator
MarkFahlbeck
21-Topaz I
21-Topaz I
(To:ChastainBruce)
‎Dec 22, 2021 04:44 PM
‎Dec 22, 2021 04:44 PM

Hello,

 

As noted in the following articles, it is recommended to remove the JAR file to mitigate any potential log4j 1.x risks:

https://www.ptc.com/en/support/article/CS359127

https://www.ptc.com/en/support/article/CS000359361

 

The 1.x log4j vulnerabilities are different in nature than the 2.x vulnerabilities, and not a full 1/10 on severity scale.  However, this simple step will ensure there are no users are accidentally exposed to these vulnerabilities if in case they somehow get curious and explore the JAR files, or perhaps even request a trial or Creo Product Insight and explore functionality.

 

There are links to the 1.x CVEs in the article above that may be referred to in order to better understand the vulnerabilities and asses the risks with leaving the files in place.

 

Forward looking information: Creo 8.0.3.0, which should release within 1-2 weeks, will be updated to latest log4j.  This is tentatively planned for implementation in 7.0.7.0 when it is released in next few weeks as well,


Mark Fahlbeck
Notify Moderator
VladimirN
24-Ruby II
24-Ruby II
(To:MarkFahlbeck)
‎Dec 23, 2021 02:56 AM
‎Dec 23, 2021 02:56 AM

 Hi Mark,

 

Thanks for the detailed answer.

0 Kudos
Notify Moderator
ChastainBruce
4-Participant
4-Participant
(To:MarkFahlbeck)
‎Dec 23, 2021 09:00 AM
‎Dec 23, 2021 09:00 AM

thank you for the detailed answer Mark. However I'm not sure if I agree it's always a simple step when you have many hundreds of installations. We'll probably get the major majority but to get 100% will be tough. 

0 Kudos
Notify Moderator
Top Tags