• Spring4Shell

Spring4Shell Security Vulnerability Response Center

Check here for the latest information on the Spring4Shell security vulnerability (CVE-2022-22965) by PTC product

Last Updated: July 19, 2022 at 12:55 p.m.

PTC’s Spring4Shell Response

PTC is aware of the critical zero-day vulnerability that has been discovered in the Spring Framework.

Technical details of the Spring4Shell CVE 2022-22965 vulnerability are available here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted.

The PTC Cybersecurity team has been actively investigating any potential impact of this vulnerability as it relates to PTC Products, Services, and IT Infrastructure.

PTC recommends that all customers immediately work with their IT departments to implement mitigating controls such as WAF and/or other security measures.

PTC will provide updates as more information becomes available.

If you need to contact PTC, please go to www.ptc.com/support.


Current Status by Core Product

For products listed as under investigation below, we will provide recommended actions as they become available. Please refer back to this page for future updates

  • Arbortext Editor, Styler, Publishing Engine

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Arbortext Content Delivery

    Investigation in progress, please check back for updates.

  • ApexAda, ObjectAda, AdaWorld, TeleUSE, X32Plus

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Arena

    Investigation in progress, please check back for updates.

  • Axeda Platform

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Axeda/ThingWorx Policy Server

    Investigation in progress, please check back for updates.

  • CADDS5

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Creo

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Creo Elements Direct

    Not vulnerable to Spring4Shell CVE 2022-22965

  • Creo Generative Design Extension (GDX)

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Creo View

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Digital Performance Management

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Empower

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • iWarranty

    Investigation in progress, please check back for updates.

  • Kepware

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Mathcad

    Not vulnerable to Spring4Shell CVE 2022-22965

  • MKS Implementer

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • MKS Toolkit

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • MOVE

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Onshape

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Optegra

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Perc

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Service Knowledge Diagnostics (SKD)

    Investigation in progress, please check back for updates.

  • Servigistics Service Parts Management

    Not vulnerable to Spring4Shell CVE 2022-22965.

    Updated April 22, 2022 at 9:15 a.m

  • ThingWorx Analytics

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • ThingWorx Connection Server

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • ThingWorx Agents

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • ThingWorx Flow

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • ThingWorx Manufacturing and Service Apps

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • ThingWorx Manufacturing Building Blocks

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • ThingWorx Navigate

    https://www.ptc.com/en/support/article/CS366834

    Updated April 6, 2022 at 5:15 p.m.

  • ThingWorx Platform

    https://www.ptc.com/en/support/article/CS366559

    Updated April 6, 2022 at 3:50 p.m.

  • ThingWorx Software Content Management

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • ThingWorx Solution Central

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Vuforia Chalk, View, Vantage, and Dalton

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Vuforia Engine SDK

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Vuforia Engine Server

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Vuforia Expert Capture and Instruct

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Vuforia Studio

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Webship

    Investigation in progress, please check back for updates.

  • Windchill PLM and FlexPLM

    https://www.ptc.com/en/support/article/CS366379

    Updated April 6, 2022 at 12:10 p.m

  • Windchill Modeler

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Windchill Requirements Connector

    Not vulnerable to Spring4Shell CVE 2022-22965.

  • Windchill RV&S

    https://www.ptc.com/en/support/article/CS366731

    Updated April 6, 2022 at 12:10 p.m.

  • X/Server

    Not vulnerable to Spring4Shell CVE 2022-22965.

PTC Cloud

Updated as of April 4, 2022. Please refer back to this alert for future updates.

In response to the Spring4Shell CVE 2022-22965 vulnerability, PTC Cloud is fully committed to applying all formally recommended actions to protect against any exploitation across all technology vectors supported as part of our Cloud service. As part of that commitment, we are completely aligned with PTC’s various R&D organizations. As applicable, we are proactively and expeditiously executing required actions that best protect our customers against security threats.

Please note that as we proceed in reacting to the Spring4Shell situation, PTC Cloud will act with urgency in meeting this objective. We will do our best to communicate in advance of any action requiring maintenance downtime. However, in some cases, as our top priority is to provide protection and security, we may not be able to plan communication in advance.

We will provide ongoing updates in this central communication forum as required. We recommend that you continuously monitor updates through this communication vehicle.

If you have any additional questions or concerns, please send your inquires to cloudservicemanagement@ptc.com and we will respond to you as soon as possible.

  • PTC Core Products