cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Need help navigating or using the PTC Community? Contact the community team. X

log4j on Creo Parametric - not using Creo product insight extension?

ChastainBruce
4-Participant

log4j on Creo Parametric - not using Creo product insight extension?

Hi,

We don't use the "Creo Product Insight" extension, nor do we have a license for it, are we at risk with the log4j vulnerability? Seems to me if we don't use the extension then the java code won't be ran, and no one can log in and therefor can't do any remote code or anything. Are we at risk considering this, do we need to remove the mentioned jar files? This is for Creo 5.0.4.0

Bruce
ACCEPTED SOLUTION

Accepted Solutions

Hello,

 

As noted in the following articles, it is recommended to remove the JAR file to mitigate any potential log4j 1.x risks:

https://www.ptc.com/en/support/article/CS359127

https://www.ptc.com/en/support/article/CS000359361

 

The 1.x log4j vulnerabilities are different in nature than the 2.x vulnerabilities, and not a full 1/10 on severity scale.  However, this simple step will ensure there are no users are accidentally exposed to these vulnerabilities if in case they somehow get curious and explore the JAR files, or perhaps even request a trial or Creo Product Insight and explore functionality.

 

There are links to the 1.x CVEs in the article above that may be referred to in order to better understand the vulnerabilities and asses the risks with leaving the files in place.

 

Forward looking information: Creo 8.0.3.0, which should release within 1-2 weeks, will be updated to latest log4j.  This is tentatively planned for implementation in 7.0.7.0 when it is released in next few weeks as well,


Mark Fahlbeck

View solution in original post

4 REPLIES 4

Sorry I think this should maybe be under the Administration sub forum, maybe someone with the rights can move it?

Hello,

 

As noted in the following articles, it is recommended to remove the JAR file to mitigate any potential log4j 1.x risks:

https://www.ptc.com/en/support/article/CS359127

https://www.ptc.com/en/support/article/CS000359361

 

The 1.x log4j vulnerabilities are different in nature than the 2.x vulnerabilities, and not a full 1/10 on severity scale.  However, this simple step will ensure there are no users are accidentally exposed to these vulnerabilities if in case they somehow get curious and explore the JAR files, or perhaps even request a trial or Creo Product Insight and explore functionality.

 

There are links to the 1.x CVEs in the article above that may be referred to in order to better understand the vulnerabilities and asses the risks with leaving the files in place.

 

Forward looking information: Creo 8.0.3.0, which should release within 1-2 weeks, will be updated to latest log4j.  This is tentatively planned for implementation in 7.0.7.0 when it is released in next few weeks as well,


Mark Fahlbeck

 Hi Mark,

 

Thanks for the detailed answer.

thank you for the detailed answer Mark. However I'm not sure if I agree it's always a simple step when you have many hundreds of installations. We'll probably get the major majority but to get 100% will be tough. 

Announcements
NEW Creo+ Topics: Real-time Collaboration


Top Tags