Artikel - CS358901

ThingWorx Apache log4j vulnerability - Incident Response

Geändert: 06-May-2024   


Betrifft

  • ThingWorx Platform 8.1 to 9.4
  • ThingWorx Analytics 8.5 to 9.4
  • And all currently supported versions

Beschreibung

  • Customer alert and recommendations for remediation of the Apache log4j identified vulnerability CVE-2021-44228. This vulnerability is in a third party library that PTC Software uses for logging of application errors, events and associated information. The vulnerability if exploited allows for remote and potentially malicious code execution on your environments.
  • This vulnerability will be fixed in maintenance versions of ThingWorx platform versions including 8.5, 9.0, 9.1, 9.2 by updating the log4j library OR removing its usage from our software.
  • In the interim, there may be configuration settings which will remove the vulnerability and this is recommended to be applied immediately to your PTC ThingWorx installations and components identified in this article.
  • Please note PTC does not hold responsibility for 3rd party use of Log4J in custom solutions which will still require remediation. This applies to all listed items in the ThingWorx Product Suite.
  • Log4j 2.x has reported following vulnerabilities:

    • CVE-2021-44228:

      • Description: Log4j JNDI features do not protect against attacker controlled LDAP and other JNDI endpoints.

    • CVE-2021-45105:

      • Description: Log4j 2.x did not protect from uncontrolled recursion from self-referential lookups, cause a denial of service(DoS)

    • CVE-2021-44832:

      • Description: An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

  • Log4j 1.x has reported following vulnerabilities:

    • CVE-2021-4104 :

      • Description: JMSAppender configuration along with TopicBindingName, TopicConnectionFactoryBindingName causes deserialization of untrusted data, that result in remote code execution(RCE)

    • CVE-2019-17571 :

      • Description: SocketServer class that is vulnerable to deserialization of untrusted data, can cause remote code execution(RCE).

Diese PDF-Version von Artikel 358901 ist möglicherweise veraltet. Aktuelle Version CS358901