All product remediation actions provided by PTC will apply to current and actively supported software versions. However, the remediation steps for these versions will be similar or identical to earlier versions that leverage Log4j v1 or v2 and are no longer actively supported by PTC.
PTC strongly encourages customers on non-supported versions to take similar actions to protect their infrastructure and should not assume that previous versions of the software are not impacted by the vulnerabilities disclosed to date. Notably, PTC provides numerous security and performance-related improvements as we release new versions of our software. PTC strongly advocates for customers to leverage supported versions at their earliest opportunity to take advantage of these improvements and have the strongest possible security posture.
PTC believes that addressing cybersecurity threats is a shared responsibility across software providers, customers and active users of the software, partners and software integrators, governments and regulators, and more. PTC remains committed to fulfilling its role as a software provider in this shared responsibility model and strongly encourages other groups – including customers and active users – to fulfill theirs.
Recommended Remediation by Core Product
For products not listed below, we will provide recommended actions as they become available. Please refer back to this alert for future updates.
Not vulnerable to Log4j CVE-2021-44228 vulnerability.
Updated December 16, 2021 at 3:50 p.m.
Warranty analytics (Service Intelligence) uses IBM Cognos. Please refer to the Cognos section below under "3rd Party Tools/Products" for more details. All other modules are not vulnerable to Log4j CVE-2021-44228 vulnerability.
Not vulnerable to Log4j CVE2021-44228 vulnerability.
Updated December 15, 2021 at 8:08 p.m.
Updated as of December 22, 2021. Please refer back to this alert for future updates.
In response to the Log4j security vulnerabilities, PTC Cloud is fully committed to applying all formally recommended actions to protect against Apache Log4j 2 CVE-2021-44228 and CVE 2021-45046 across all technology vectors supported as part of our Cloud service.
As part of that commitment, we remain completely aligned with PTC’s various R&D organizations. As applicable and based on the latest published recommendations, we are proactively and expeditiously executing required actions that best protect our customers against security threats.
PTC Cloud’s latest remediation actions can be found in our most recent published articles referenced under Cloud Products and Cloud 3rd Party sections below.
Across all technology platforms supported as part of our Cloud service, PTC Cloud has taken remediation actions to protect against all known critical vulnerabilities. As of this posting, PTC’s Cloud Security leadership team has determined that based on our hosting parameters, patch version 2.16 is the required patch level needed to remediate across known Log4j critical vulnerabilities.
PTC Cloud Management recognizes the recent release of Log4j patch 2.17; however, as noted above, this patch level is not required to be urgently applied. Accordingly, PTC Cloud will proceed under a standard maintenance process to upgrade to this patch level. Moving forward, we will continue to prioritize our efforts on urgent Log4j remediations requiring time-sensitive responses and actions.
As previously stated, as we react to the Log4j situation, PTC Cloud will continue to act with the utmost urgency. We will do our best to communicate in advance of any action requiring maintenance downtime. However, in some cases, as our top priority is to provide protection and security, we may not be able to plan communication before taking necessary security measures.
We will continue to provide ongoing updates in this central communication forum as required. We recommend that you continuously gain updates through this communication vehicle.