Spring4Shell Security Vulnerability Response Center

Check here for the latest information on the Spring4Shell security vulnerability (CVE-2022-22965) by PTC product

Last Updated: July 19, 2022 at 12:55 p.m.

PTC’s Spring4Shell Response

PTC is aware of the critical zero-day vulnerability that has been discovered in the Spring Framework.

Technical details of the Spring4Shell CVE 2022-22965 vulnerability are available here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted.

The PTC Cybersecurity team has been actively investigating any potential impact of this vulnerability as it relates to PTC Products, Services, and IT Infrastructure.

PTC recommends that all customers immediately work with their IT departments to implement mitigating controls such as WAF and/or other security measures.

PTC will provide updates as more information becomes available.

If you need to contact PTC, please go to www.ptc.com/support.


Current Status by Core Product

For products listed as under investigation below, we will provide recommended actions as they become available. Please refer back to this page for future updates

Arbortext Editor, Styler, Publishing Engine

Not vulnerable to Spring4Shell CVE 2022-22965.

Arbortext Content Delivery

Investigation in progress, please check back for updates.

ApexAda, ObjectAda, AdaWorld, TeleUSE, X32Plus

Not vulnerable to Spring4Shell CVE 2022-22965.

Arena

Investigation in progress, please check back for updates.

Axeda Platform

Not vulnerable to Spring4Shell CVE 2022-22965.

Axeda/ThingWorx Policy Server

Investigation in progress, please check back for updates.

CADDS5

Not vulnerable to Spring4Shell CVE 2022-22965.

Creo

Not vulnerable to Spring4Shell CVE 2022-22965.

Creo Elements Direct

Not vulnerable to Spring4Shell CVE 2022-22965

Creo Generative Design Extension (GDX)

Not vulnerable to Spring4Shell CVE 2022-22965.

Creo View

Not vulnerable to Spring4Shell CVE 2022-22965.

Digital Performance Management

Not vulnerable to Spring4Shell CVE 2022-22965.

Empower

Not vulnerable to Spring4Shell CVE 2022-22965.

iWarranty

Investigation in progress, please check back for updates.

Kepware

Not vulnerable to Spring4Shell CVE 2022-22965.

Mathcad

Not vulnerable to Spring4Shell CVE 2022-22965

MKS Implementer

Not vulnerable to Spring4Shell CVE 2022-22965.

MKS Toolkit

Not vulnerable to Spring4Shell CVE 2022-22965.

MOVE

Not vulnerable to Spring4Shell CVE 2022-22965.

Onshape

Not vulnerable to Spring4Shell CVE 2022-22965.

Optegra

Not vulnerable to Spring4Shell CVE 2022-22965.

Perc

Not vulnerable to Spring4Shell CVE 2022-22965.

PTC Modeler

Not vulnerable to Spring4Shell CVE 2022-22965.

Service Knowledge Diagnostics (SKD)

Investigation in progress, please check back for updates.

Servigistics Service Parts Management

Not vulnerable to Spring4Shell CVE 2022-22965.

Updated April 22, 2022 at 9:15 a.m

ThingWorx Analytics

Not vulnerable to Spring4Shell CVE 2022-22965.

ThingWorx Connection Server

Not vulnerable to Spring4Shell CVE 2022-22965.

ThingWorx Agents

Not vulnerable to Spring4Shell CVE 2022-22965.

ThingWorx Flow

Not vulnerable to Spring4Shell CVE 2022-22965.

ThingWorx Manufacturing and Service Apps

Not vulnerable to Spring4Shell CVE 2022-22965.

ThingWorx Manufacturing Building Blocks

Not vulnerable to Spring4Shell CVE 2022-22965.

ThingWorx Platform

https://www.ptc.com/en/support/article/CS366559

Updated April 6, 2022 at 3:50 p.m.

ThingWorx Software Content Management

Not vulnerable to Spring4Shell CVE 2022-22965.

ThingWorx Solution Central

Not vulnerable to Spring4Shell CVE 2022-22965.

Vuforia Chalk, View, Vantage, and Dalton

Not vulnerable to Spring4Shell CVE 2022-22965.

Vuforia Engine SDK

Not vulnerable to Spring4Shell CVE 2022-22965.

Vuforia Engine Server

Not vulnerable to Spring4Shell CVE 2022-22965.

Vuforia Expert Capture and Instruct

Not vulnerable to Spring4Shell CVE 2022-22965.

Vuforia Studio

Not vulnerable to Spring4Shell CVE 2022-22965.

Webship

Investigation in progress, please check back for updates.

Windchill Navigate

https://www.ptc.com/en/support/article/CS366834

Updated April 6, 2022 at 5:15 p.m.

Windchill PLM and FlexPLM

https://www.ptc.com/en/support/article/CS366379

Updated April 6, 2022 at 12:10 p.m

Windchill Requirements Connector

Not vulnerable to Spring4Shell CVE 2022-22965.

Windchill RV&S

https://www.ptc.com/en/support/article/CS366731

Updated April 6, 2022 at 12:10 p.m.

X/Server

Not vulnerable to Spring4Shell CVE 2022-22965.

PTC Cloud

Updated as of April 4, 2022. Please refer back to this alert for future updates.

In response to the Spring4Shell CVE 2022-22965 vulnerability, PTC Cloud is fully committed to applying all formally recommended actions to protect against any exploitation across all technology vectors supported as part of our Cloud service. As part of that commitment, we are completely aligned with PTC’s various R&D organizations. As applicable, we are proactively and expeditiously executing required actions that best protect our customers against security threats.

Please note that as we proceed in reacting to the Spring4Shell situation, PTC Cloud will act with urgency in meeting this objective. We will do our best to communicate in advance of any action requiring maintenance downtime. However, in some cases, as our top priority is to provide protection and security, we may not be able to plan communication in advance.

We will provide ongoing updates in this central communication forum as required. We recommend that you continuously monitor updates through this communication vehicle.

If you have any additional questions or concerns, please send your inquires to cloudservicemanagement@ptc.com and we will respond to you as soon as possible.

PTC Core Products