Skip to main content
C
CC_39112501-Visitor
1-Visitor
March 21, 2026
Question

Critical vulnerability CVSS10.0

  • March 21, 2026
  • 3 replies
  • 1157 views

I am using Windchill PDMLink Release 10.0 and Datecode with CPS M010

Critical vulnerability (CVSS10.0) in its Windchill and FlexPLM products. Want to add the immediate remediation steps but don't understand instructions.
Currently have "D:\ptc\Windchill_12.1\HTTPServer\conf\conf.d\30-app-Windchill-Auth.conf" file. Do I simply create the new 90-app-Windchill-auth.conf and ONLY put the entry that was sent in the remediation or do I copy the 30-app file renaming to 90-app and have all of my configuration settings plus remediation???

 

Some of the replies to this topic were published during the recent read-only period. We have manually republished the missing posts to preserve the integrity of the topic. Learn more.

April 2, 2026

The Community team

3 replies

A
AtharvaD14-Alexandrite
14-Alexandrite
March 21, 2026

Hello @CC_3911250 ,

You need to create the 90-app-Windchill-auth.conf and ONLY put the entry that was sent in the remediation.

as per https://www.ptc.com/en/support/article/CS466318

Regards,

Atharva

olivierlp
olivierlpCommunity Manager
Community Manager
April 2, 2026

Initially posted by ​@bmüller on March 30,2026

 

 

Hi  ​@AtharvaD 

with the second remediation, is there any reason to create 2 files with only those configs? or will one 90-... file with both work too? in "normal Apache" this should make no difference.

Regards,

Bernhard

Olivier
S
SS_1031629816-Pearl
16-Pearl
March 21, 2026


Apache HTTP Server Configuration – Workaround Steps

 

  1. Create a new Apache configuration file:
    <APACHE_HOME>/conf/conf.d/90-app-Windchill-Auth.conf 

  2. Add the following directive to the file:

    <LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(?:;[^/]*)?/.*$">
 Require all denied
</LocationMatch>

  3. Save the configuration file.


    NOTE: If other Apache configuration files exist with sequence numbers higher than 90, ensure this new file is the last in the sequence.

  4. Restart Apache HTTP Server for changes to take effect:

    • Linux: 
      apachectl stop
apachectl start
    • Windows (Service):
      • Open Services
      • Stop Apache HTTP Server
      • Start Apache HTTP Server
olivierlp
olivierlpCommunity Manager
Community Manager
April 2, 2026

Initially posted by ​@SS_10316298  on March 30,2026

 

Hi ​@CC_3911250,

Since you are currently on Windchill PDMLink Release 10.0 with CPS M010, we have documented a remediation for this version in the following article:

@bmüller , For Windchill 11.0 and above, please follow the steps outlined in the referenced articles below:
 

For this update, you can create a new file in the 90–99 range.

From my understanding, the order does not matter as long as both files are placed at the end of the sequence.


I hope this provides the clarity you needed.


Best regards,
Samarth Shelke

Olivier
olivierlp
olivierlpCommunity Manager
Community Manager
April 2, 2026

Initially posted by ​@bmüller on March 30,2026

 

Hi ​@SS_10316298 

but why 2 files? Why not a single file 90-app-Windchill-Auth.conf and add both blocks: 

 

<LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/wt\.wrmf\.transport\.httptransport\.ReconnectedHttpURLCon(?:;[^/]*)?/.*$">
    Require all denied
</LocationMatch>

<LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(?:;[^/]*)?/.*$">
  Require all denied
</LocationMatch>

 

Olivier
olivierlp
olivierlpCommunity Manager
Community Manager
April 2, 2026

Initially posted by ​@mmeadows-3 on March 30,2026

 

The articles were not written at the same time and are designed to be independent.  So, each article identifies a unique file name.  There is no reason to create two files.  In your combined file, ensure they are in the order defined by the articles (90 first and 91 second).  Also document these changes to make it easier to identify the source of the changes.  I created a single 90-app-Windchill-Auth.conf file.

 

# Security Patches
# 3/23/2026 https://www.ptc.com/en/support/article/CS466318
<LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/com\.ptc\.wvs\.server\.publish\.Publish(?:;[^/]*)?/.*$">
Require all denied
</LocationMatch>

# 3/28/2026 https://www.ptc.com/en/support/article/CS466866
<LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/wt\.wrmf\.transport\.httptransport\.ReconnectedHttpURLCon(?:;[^/]*)?/.*$">
    Require all denied
</LocationMatch>

  

Olivier
Terms & ConditionsCookie settingsAccessibility statement