Log4j Security Vulnerability Response Center

Check here for the latest information on the Log4j security vulnerability by PTC product (Apache Log4j CVE-2021-44228).

Last Updated: January 14, 2022 at 9:45 a.m.

PTC's Remediation Strategy

All product remediation actions provided by PTC will apply to current and actively supported software versions. However, the remediation steps for these versions will be similar or identical to earlier versions that leverage Log4j v1 or v2 and are no longer actively supported by PTC.

PTC strongly encourages customers on non-supported versions to take similar actions to protect their infrastructure and should not assume that previous versions of the software are not impacted by the vulnerabilities disclosed to date. Notably, PTC provides numerous security and performance-related improvements as we release new versions of our software. PTC strongly advocates for customers to leverage supported versions at their earliest opportunity to take advantage of these improvements and have the strongest possible security posture.

PTC believes that addressing cybersecurity threats is a shared responsibility across software providers, customers and active users of the software, partners and software integrators, governments and regulators, and more. PTC remains committed to fulfilling its role as a software provider in this shared responsibility model and strongly encourages other groups – including customers and active users – to fulfill theirs.

Recommended Remediation by Core Product

For products not listed below, we will provide recommended actions as they become available. Please refer back to this alert for future updates.
If you need to contact PTC, please go to: www.ptc.com/support.

  • AdaWorld

    Not vulnerable to Log4j CVE2021-44228 vulnerability.

    Updated December 15, 2021 at 8:08 p.m.

  • ApexAda

    Not vulnerable to Log4j CVE2021-44228 vulnerability.

    Updated December 15, 2021 at 8:08 p.m.

  • Arena

    Not vulnerable to Log4j CVE2021-44228 vulnerability.

    Updated December 14, 2021 at 11:45 p.m.

  • Atlas

    Resolved, 5:30 AM EST Friday, December 10, 2021.

  • Arbortext

    https://www.ptc.com/en/support/article/CS358998

    Updated December 15, 2021 at 9:45 a.m.

  • Arbortext Content Delivery

    https://www.ptc.com/en/support/article/CS358957

    Updated December 23, 2021 at 9:33 a.m.

  • Arbortext IsoDraw

    Not vulnerable to Log4j CVE-2021-44228 vulnerability. Refer to CS358831 for impacts related to the Creo License Server: https://www.ptc.com/en/support/article/CS358831

    Updated January 14, 2022 at 9:45 a.m.

  • Axeda

    https://www.ptc.com/en/support/article/CS358990

    Updated December 14, 2021 at 11:45 p.m.

  • CADDS5

    https://www.ptc.com/en/support/article/CS359313

    Updated December 17, 2021 at 4:11 p.m.

  • Creo Direct

    https://www.ptc.com/en/support/article/CS358831

    Updated January 14, 2022 at 9:45 a.m.

  • Creo Elements Direct

    https://www.ptc.com/en/support/article/CS358965

    Updated December 22, 2021 at 9:22 a.m.

  • Creo Generative Design

    Not vulnerable to Log4j CVE-2021-44228 vulnerability. No further action required.

    Updated December 15, 2021 at 8:08 a.m.

  • Creo Illustrate

    Not vulnerable to Log4j CVE-2021-44228 vulnerability. Refer to CS358831 for impacts related to the Creo License Server: https://www.ptc.com/en/support/article/CS358831

    Updated January 14, 2022 at 9:45 a.m.

  • Creo Layout

    https://www.ptc.com/en/support/article/CS358831

    Updated January 14, 2022 at 9:45 a.m.

  • Creo Parametric

    https://www.ptc.com/en/support/article/CS358831

    https://www.ptc.com/en/support/article/CS359127

    https://www.ptc.com/en/support/article/CS360340

    Updated January 14, 2022 at 9:45 a.m.

  • Creo Schematics

    https://www.ptc.com/en/support/article/CS358831

    Updated January 14, 2022 at 9:45 a.m.

  • Creo Simulate

    https://www.ptc.com/en/support/article/CS358831

    Updated January 14, 2022 at 9:45 a.m.

  • Creo View

    Not vulnerable to Log4j CVE-2021-44228 vulnerability. Refer to CS358831 for impacts related to the Creo License Server: https://www.ptc.com/en/support/article/CS358831

    Updated January 14, 2022 at 9:45 a.m.

  • Creo View Adapters

    https://www.ptc.com/en/support/article/CS359116

    Updated December 22, 2021 at 9:22 a.m.

  • Empower

    Not vulnerable to Log4j CVE-2021-44228 vulnerability.

    Updated December 16, 2021 at 3:50 p.m.

  • iWarranty

    Warranty analytics (Service Intelligence) uses IBM Cognos. Please refer to the Cognos section below under "3rd Party Tools/Products" for more details. All other modules are not vulnerable to Log4j CVE-2021-44228 vulnerability.

    Updated December 17, 2021 at 9:11 a.m.

  • Kepware

    https://www.ptc.com/en/support/article/CS358996

    Updated December 15, 2021 at 8:45 a.m.

  • Mathcad

    https://www.ptc.com/en/support/article/CS358831

    Updated January 14, 2022 at 9:45 a.m.

  • MKS Implementer

    https://www.ptc.com/en/support/article/CS359084

    Updated December 17, 2021 at 4:19 p.m.

  • MKS Toolkit

    https://www.ptc.com/en/support/article/CS359123

    Updated December 17, 2021 at 4:15 p.m.

  • MOVE

    https://www.ptc.com/en/support/article/CS359320

    Updated December 17, 2021 at 5:26 p.m.

  • ObjectAda

    Not vulnerable to Log4j CVE2021-44228 vulnerability.

    Updated December 15, 2021 at 8:08 p.m.

  • Onshape

    Resolved 9:30 AM EST Friday, December 10, 2021.

    Updated December 14, 2021 at 11:45 p.m.

  • Optegra

    https://www.ptc.com/en/support/article/CS359312

    Updated December 17, 2021 at 4:12 p.m.

  • Perc

    Not vulnerable to Log4j CVE2021-44228 vulnerability.

    Updated December 14, 2021 at 11:45 p.m.

  • PTC X/Server

    https://www.ptc.com/en/support/article/CS359314

    Updated December 17, 2021 at 4:17 p.m.

  • Service Knowledge Diagnostics (SKD)

    Not vulnerable to Log4j CVE2021-44228 vulnerability. Analysis of Log4j 1.x underway.

    Updated December 14, 2021 at 11:45 p.m.

  • Servigistics

    https://www.ptc.com/en/support/article/CS358886

    Updated December 21, 2021 at 11:41 a.m.

  • TeleUSE

    Not vulnerable to Log4j CVE2021-44228 vulnerability.

    Updated December 15, 2021 at 8:08 p.m.

  • ThingWorx Analytics

    https://www.ptc.com/en/support/article/CS358901

    Updated December 15, 2021 at 9:45 a.m.

  • ThingWorx Navigate

    https://www.ptc.com/en/support/article/CS359107

    Updated December 14, 2021 at 5 p.m.

  • ThingWorx Platform

    https://www.ptc.com/en/support/article/CS358901

    Updated December 14, 2021 at 11:58 p.m.

  • Vuforia Chalk

    Not vulnerable to Log4j CVE2021-44228 vulnerability.

    Updated December 14, 2021 at 11:45 p.m.

  • Vuforia Engine SDK

    Not vulnerable to Log4j CVE2021-44228 vulnerability.

    Updated December 14, 2021 at 11:45 p.m.

  • Vuforia Engine Server

    Resolved 9:28 AM PST Friday, December 14, 2021.

    Updated December 16, 2021 at 12:56 p.m.

  • Vuforia Expert Capture

    Not vulnerable to Log4j CVE2021-44228 vulnerability.

    Updated December 14, 2021 at 11:45 p.m.

  • Vuforia Instruct

    Not vulnerable to Log4j CVE2021-44228 vulnerability.

    Updated December 14, 2021 at 11:45 p.m.

  • Vuforia Studio

    Not vulnerable to Log4j CVE2021-44228 vulnerability. This update Includes Vuforia Experience Service and Vuforia View.

    Updated December 17, 2021 at 12:08 p.m.

  • Webship

    https://www.ptc.com/en/support/article/CS359321

    Updated December 17, 2021 at 5:26 p.m.

  • Windchill Asset Library

    Not vulnerable to Log4j CVE2021-44228 vulnerability.

    Updated December 17, 2021 at 12:09 p.m.

  • Windchill Modeler

    Not vulnerable to Log4j CVE2021-44228 vulnerability.

    Updated December 14, 2021 at 11:45 p.m.

  • Windchill PLM and FlexPLM

    https://www.ptc.com/en/support/article/CS358789

    Updated January 12, 2022 at 9:17 a.m. EST

  • Windchill Process Director

    Not vulnerable to Log4j CVE2021-44228 vulnerability.

    Updated December 21, 2021 at 4:32 p.m.

  • Windchill Product Analytics

    Not vulnerable to Log4j 2.x vulnerabilities CVE-2021-44228 & CVE 2021-45046. Not vulnerable to Log4j 1.x vulnerability CVE-2021-4104.

    Updated December 17, 2021 at 4:07 p.m.

  • Windchill Requirements Connector

    https://www.ptc.com/en/support/article/CS358984

    Updated December 20, 2021 at 11:37 a.m.

  • Windchill Risk and Reliability (Formerly Windchill Quality Solutions)

    Not vulnerable to Log4j CVE-2021-44228 vulnerability. Refer to CS358831 for impacts related to the PTC License server:

    https://www.ptc.com/en/support/article/CS358831

    Updated January 14, 2022 at 9:45 a.m.

  • Windchill RV&S

    https://www.ptc.com/en/support/article/CS358804

    Updated December 14, 2021 at 11:58 p.m.

  • X32Plus

    Not vulnerable to Log4j CVE2021-44228 vulnerability.

    Updated December 15, 2021 at 8:08 p.m.

PTC Cloud

Updated as of December 22, 2021. Please refer back to this alert for future updates.

In response to the Log4j security vulnerabilities, PTC Cloud is fully committed to applying all formally recommended actions to protect against Apache Log4j 2 CVE-2021-44228 and CVE 2021-45046 across all technology vectors supported as part of our Cloud service.

As part of that commitment, we remain completely aligned with PTC’s various R&D organizations. As applicable and based on the latest published recommendations, we are proactively and expeditiously executing required actions that best protect our customers against security threats.

PTC Cloud’s latest remediation actions can be found in our most recent published articles referenced under Cloud Products and Cloud 3rd Party sections below.

Across all technology platforms supported as part of our Cloud service, PTC Cloud has taken remediation actions to protect against all known critical vulnerabilities. As of this posting, PTC’s Cloud Security leadership team has determined that based on our hosting parameters, patch version 2.16 is the required patch level needed to remediate across known Log4j critical vulnerabilities.

PTC Cloud Management recognizes the recent release of Log4j patch 2.17; however, as noted above, this patch level is not required to be urgently applied. Accordingly, PTC Cloud will proceed under a standard maintenance process to upgrade to this patch level. Moving forward, we will continue to prioritize our efforts on urgent Log4j remediations requiring time-sensitive responses and actions.

As previously stated, as we react to the Log4j situation, PTC Cloud will continue to act with the utmost urgency. We will do our best to communicate in advance of any action requiring maintenance downtime. However, in some cases, as our top priority is to provide protection and security, we may not be able to plan communication before taking necessary security measures.

We will continue to provide ongoing updates in this central communication forum as required. We recommend that you continuously gain updates through this communication vehicle.

If you have any questions or concerns, please send your inquires to cloudservicemanagement@ptc.com and we will respond to you as soon as possible.  

 

-Cloud Management

  • PTC Core Products





  • PTC Cloud 3rd Party Products/Tools





Recommended Remediation by 3rd Party Products/Tools

For products not listed below, we will provide recommended actions as they become available. Please refer back to this alert for future updates.
If you need to contact PTC, please go to: www.ptc.com/support.