PTC’s Spring4Shell Response
PTC is aware of the critical zero-day vulnerability that has been discovered in the Spring Framework.
Technical details of the Spring4Shell CVE 2022-22965 vulnerability are available here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted.
The PTC Cybersecurity team has been actively investigating any potential impact of this vulnerability as it relates to PTC Products, Services, and IT Infrastructure.
PTC recommends that all customers immediately work with their IT departments to implement mitigating controls such as WAF and/or other security measures.
PTC will provide updates as more information becomes available.
If you need to contact PTC, please go to www.ptc.com/support.
Current Status by Core Product
For products listed as under investigation below, we will provide recommended actions as they become available. Please refer back to this page for future updates
Arbortext Editor, Styler, Publishing Engine
Not vulnerable to Spring4Shell CVE 2022-22965.
Arbortext Content Delivery
Investigation in progress, please check back for updates.
ApexAda, ObjectAda, AdaWorld, TeleUSE, X32Plus
Not vulnerable to Spring4Shell CVE 2022-22965.
Arena
Investigation in progress, please check back for updates.
Axeda Platform
Not vulnerable to Spring4Shell CVE 2022-22965.
Axeda/ThingWorx Policy Server
Investigation in progress, please check back for updates.
CADDS5
Not vulnerable to Spring4Shell CVE 2022-22965.
Creo
Not vulnerable to Spring4Shell CVE 2022-22965.
Creo Elements Direct
Not vulnerable to Spring4Shell CVE 2022-22965
Creo Generative Design Extension (GDX)
Not vulnerable to Spring4Shell CVE 2022-22965.
Creo View
Not vulnerable to Spring4Shell CVE 2022-22965.
Digital Performance Management
Not vulnerable to Spring4Shell CVE 2022-22965.
Empower
Not vulnerable to Spring4Shell CVE 2022-22965.
iWarranty
Investigation in progress, please check back for updates.
Kepware
Not vulnerable to Spring4Shell CVE 2022-22965.
Mathcad
Not vulnerable to Spring4Shell CVE 2022-22965
MKS Implementer
Not vulnerable to Spring4Shell CVE 2022-22965.
MKS Toolkit
Not vulnerable to Spring4Shell CVE 2022-22965.
MOVE
Not vulnerable to Spring4Shell CVE 2022-22965.
Onshape
Not vulnerable to Spring4Shell CVE 2022-22965.
Optegra
Not vulnerable to Spring4Shell CVE 2022-22965.
Perc
Not vulnerable to Spring4Shell CVE 2022-22965.
PTC Modeler
Not vulnerable to Spring4Shell CVE 2022-22965.
Service Knowledge Diagnostics (SKD)
Investigation in progress, please check back for updates.
Servigistics Service Parts Management
Not vulnerable to Spring4Shell CVE 2022-22965.
Updated April 22, 2022 at 9:15 a.m
ThingWorx Analytics
Not vulnerable to Spring4Shell CVE 2022-22965.
ThingWorx Connection Server
Not vulnerable to Spring4Shell CVE 2022-22965.
ThingWorx Agents
Not vulnerable to Spring4Shell CVE 2022-22965.
ThingWorx Flow
Not vulnerable to Spring4Shell CVE 2022-22965.
ThingWorx Manufacturing and Service Apps
Not vulnerable to Spring4Shell CVE 2022-22965.
ThingWorx Manufacturing Building Blocks
Not vulnerable to Spring4Shell CVE 2022-22965.
ThingWorx Platform
Updated April 6, 2022 at 3:50 p.m.
ThingWorx Software Content Management
Not vulnerable to Spring4Shell CVE 2022-22965.
ThingWorx Solution Central
Not vulnerable to Spring4Shell CVE 2022-22965.
Vuforia Chalk, View, Vantage, and Dalton
Not vulnerable to Spring4Shell CVE 2022-22965.
Vuforia Engine SDK
Not vulnerable to Spring4Shell CVE 2022-22965.
Vuforia Engine Server
Not vulnerable to Spring4Shell CVE 2022-22965.
Vuforia Expert Capture and Instruct
Not vulnerable to Spring4Shell CVE 2022-22965.
Vuforia Studio
Not vulnerable to Spring4Shell CVE 2022-22965.
Webship
Investigation in progress, please check back for updates.
Windchill Navigate
Updated April 6, 2022 at 5:15 p.m.
Windchill PLM and FlexPLM
https://www.ptc.com/en/support/article/CS366379
Updated April 6, 2022 at 12:10 p.m
Windchill Requirements Connector
Not vulnerable to Spring4Shell CVE 2022-22965.
Windchill RV&S
Updated April 6, 2022 at 12:10 p.m.
X/Server
Not vulnerable to Spring4Shell CVE 2022-22965.
PTC Cloud
Updated as of April 4, 2022. Please refer back to this alert for future updates.
In response to the Spring4Shell CVE 2022-22965 vulnerability, PTC Cloud is fully committed to applying all formally recommended actions to protect against any exploitation across all technology vectors supported as part of our Cloud service. As part of that commitment, we are completely aligned with PTC’s various R&D organizations. As applicable, we are proactively and expeditiously executing required actions that best protect our customers against security threats.
Please note that as we proceed in reacting to the Spring4Shell situation, PTC Cloud will act with urgency in meeting this objective. We will do our best to communicate in advance of any action requiring maintenance downtime. However, in some cases, as our top priority is to provide protection and security, we may not be able to plan communication in advance.
We will provide ongoing updates in this central communication forum as required. We recommend that you continuously monitor updates through this communication vehicle.
If you have any additional questions or concerns, please send your inquires to cloudservicemanagement@ptc.com and we will respond to you as soon as possible.
PTC Core Products
- Windchill PLM and FlexPLM
- https://www.ptc.com/en/support/article/cs366943