cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - New to the community? Learn how to post a question and get help from PTC and industry experts! X

Detailed Info regarding WT Security-Update TAN 151324

PaulReiff
1-Newbie
1-Newbie
‎Sep 30, 2010 03:54 AM
‎Sep 30, 2010 03:54 AM

Detailed Info regarding WT Security-Update TAN 151324

Hello everybody,

does anyone have more detailed information concerninglast weeksWindchill security updateand related TAN 151324?

PTC keeps sending mails about the urgency of this security update, but very little information is provided on the details page for TAN 151324 (https://www.ptc.com/appserver/cs/view/solution.jsp?n=151324).

No hint of what the threat acutally consist of, no threat scenarios, nothing.

Does anyone have more information?

Thanks and kind regards

Paul Reiff

Labels:
0 Kudos
Notify Moderator
5 REPLIES 5
achukwuka
1-Newbie
1-Newbie
(To:PaulReiff)
‎Sep 30, 2010 08:54 AM
‎Sep 30, 2010 08:54 AM

Paul,

PTC is not releasing that information. I have asked them about it, and nothing. The only thing I know is that PTC strongly encourages us to install this patch. I even asked PTC if there were anything I should be testing or how to validate that the patch plugged whatever the security loophole was, and I got nothing from them.


Sorry,

Alexius C. Chukwuka
IT Analyst, PDP Systems
John Deere Power Systems
Product Engineering Center
*Voice: 319-292-8575
*Mobile: 319-429-5336
*Fax:319-292-6282
*E-Mail: -
CONFIDENTIALITY. This electronic mail and any files transmitted with it may contain information proprietary to Deere & Company, or one of its subsidiaries or affiliates, and are intended solely for the use of the individual or entity to whom they are addressed, shall be maintained in confidence and not disclosed to third parties without the written consent of the sender. If you are not the intended recipient or the person responsible for delivering the electronic mail to the intended recipient, be advised that you have received this electronic mail in error and that any use, dissemination, forwarding, printing, or copying of this electronic mail is strictly prohibited. If you have received this electronic mail in error, please immediately notify the sender by return mail.
0 Kudos
Notify Moderator
avillanueva
22-Sapphire I
22-Sapphire I
(To:PaulReiff)
‎Sep 30, 2010 04:00 PM
‎Sep 30, 2010 04:00 PM

Looking at what files changed, it looked like some stuff related to WVS.
From what I remember, that API had some gaping holes, like relying on
FTP and not SCP. But I do not know the details either. For security
reasons, it is wise that they do not say too much.
0 Kudos
Notify Moderator
WesTucker
4-Participant
4-Participant
(To:PaulReiff)
‎Sep 30, 2010 04:19 PM
‎Sep 30, 2010 04:19 PM

Good points. One note: I also noticed what files were being updated.
They are saying that the issue isn't limited to WVS though and they seem
confident in the testing performed on the patch. I don't remember seeing
this level of a response from PTC before which served to motivate me to
expedite the patch. I don't really know if it is an issue they haven't
dealt with before, or new policies for dealing with them.



The reply I received after pushing a bit and asking about WVS:



.........

I'm a delivery manager for Windchill and one of the point contacts
around this security update.



As per our legal department, we cannot divulge any technical information
around this update or give any information as to what functionality is
affected. We have committed this to our customer base as a general best
practice.



What I can tell you is every Windchill system in the 9.0 and 9.1
families should be updated. This is not limited to any add-ons or
optional components. Additionally, this patch will not affect any
customizations or functionalities. We have tested the patch and
thousands of sites have installed it without any significant issues.










0 Kudos
Notify Moderator
PaulReiff
1-Newbie
1-Newbie
(To:PaulReiff)
‎Oct 01, 2010 04:18 AM
‎Oct 01, 2010 04:18 AM

Thanks so far, so I seem not be the only one who's curious about this mysterioussecurity gap.

It would be helpful to know at least if the problem is less serious if Windchill is only reachable through Intranet.

If I'll find out more, I'll post it here.

Kind regards

Paul

0 Kudos
Notify Moderator
jessh
5-Regular Member
5-Regular Member
(To:PaulReiff)
‎Oct 01, 2010 08:26 AM
‎Oct 01, 2010 08:26 AM

I am not speaking for PTC, only for myself, but...

It is quite normal for companies to be very tight-lipped about the
nature of security fixes -- releasing details long after the fixes have
been made available (if at all). Being on the user/customer side in
many cases, I can understand that this can be a source of annoyance. It
is, however, a necessary precaution in today's world when it comes to
security.

Again speaking only for myself, security, performance, stability, etc,
fixes in software I use push me to aggressively update to the latest
maintenance releases and security fixes as they become available -- lest
I fall victim to known issues which have already been addressed,
security or otherwise. It's just a fact of life with software. Being
on the latest maintenance release also really speeds up troubleshooting
interactions with software support organizations in my experience.

--
Jess Holle

0 Kudos
Notify Moderator
Top Tags