Article - CS358789

Apache Log4j 2.x Security Vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) - Impact on Windchill and FlexPLM

Modified: 11-Jan-2022   


Applies To

  • Windchill PDMLink 11.1 M020
  • Windchill PDMLink 11.2.1.0
  • Windchill PDMLink 12.0.2.0
  • FlexPLM 11.1 M010
  • FlexPLM 11.1 M020
  • FlexPLM 11.2.1.0
  • FlexPLM 12.0.0.0
  • FlexPLM 12.0.2.0
  • Windchill PDMLink 11.0 M030
  • FlexPLM 11.0 M030
  • Windchill PDMLink 12.1.0.0

Description

Last Update: 1/11/2022 6:00PM EST (see version history below)

A critical zero-day vulnerability has been reported in the 3rd party library log4j. This article has been created to provide customers with information and recommended actions. The analysis and investigation are on-going. As new vulnerabilities in Apache log4j are reported or new recommended mitigations are identified, this article will be updated.  Check this article regularly for additional updates to ensure you have the latest details.

CVE-2021-44228
Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The following vulnerability has also been reported which is related to the above CVE. It is recommended to also address on priority.
CVE-2021-45046
Base CVSS Score: 9.0  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerable Apache log4j versions for the CVEs above: all versions from 2.0-beta9 to 2.15.0

The following CVE was reported by Apache against log4j versions 2.0-beta9 to 2.16:
CVE-2021-45105
Base CVSS Score:7.5   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulneratble Apache Log4j versions for the CVE: 2.0-beta7 to 2.16

The following CVE was reported by Apache against Log4j 2.17:
CVE-2021-44832
Base CVSS Score:6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Vulnerable Apache Log4j versions for the CVE:2.0-beta7 to 2.17.0

Refer to Apache article for more details : 
https://logging.apache.org/log4j/2.x/security.html

Windchill includes the log4j library for native logging capabilities. (see below for impacts related to supported 3rd party bundled components that integrate directly with Windchill)

There are no known exploits reported for Windchill at this time.
Investigation is ongoing to identify any potential attack surface. This article will be updated regularly as more details are available regarding potential exploitability.

Due to the criticality of this reported vulnerability, PTC STRONGLY RECOMMENDS taking IMMEDIATE action to ensure all impacted Windchill instances are secure.

IMPORTANT NOTE: All instances include not only production, but staging, development, testing etc. Any Windchill deployment of the impacted releases should be updated as per recommendations below. This includes updating all Windchill file servers.
Windchill ReleaseApache Log4j versionAdditional Information
11.0 M030log4j 1.xNot vulnerable.  Refer to Article C0359009  for more information

* PTC continuously monitors and analyzes supported Windchill releases for any reported critical or high CVE.
11.1 M020 and earlier
11.2.1


FlexPLM 11.1 M010
FlexPLM 11.1 M020
FlexPLM 11.2.1
FlexPLM 12.0.0
log4j 1.xNot vulnerable.  Refer to Article C0359009  for more information

* PTC continuously monitors and analyzes supported Windchill releases for any reported critical or high CVE.
12.0.2.0
(CPS01 and CPS02)

FlexPLM 12.0.2
log4j 2.14.1Immediate Action Strongly Recommended – Workaround (see Resolution section for specific steps)
 
12.0.2.3 (CPS03)
12.1.0.0
FlexPLM 12.0.2.2
log4j 2.17.0 Updated Log4j version 2.17.0
12.0.2.3 Released on Dec 28, 2021
12.1.0.0 Released on Dec 30, 2021
12.0.2.4 (CPS04)




12.1.0.1 (CPS01)
log4j 2.17.1Plan to update to log4j 2.17.1

CPS04 planned to release Feb.16, 2022; check CPS Release Calendar to confirm any changes to this schedule.

CPS01 planned to release Feb. 18th.  Check CPS Release Calendar to confirm any changes to this schedule

Additional Windchill Components:
Windchill ComponentImpactedAdditional Information
Windchill Workgroup Manager (WWGM)No Impact N/A
Windchill Rest Services (WRS)Same as Windchill (addressed above) N/A
Command Line Utilities
(WCTK, Rehost, WBM, O2S)
No exploitable pathAdmin only access to Windchill Shell Required
Controlled execution, no external user input
Windchill Performance AdvisorNo ImpactN/A
Windchill Performance Advisor (Dynatrace App Mon)No ImpactSpecial Service: AppMon Log4j vulnerability update
Adapter ToolkitNo exploitable pathAdapterToolkit is not a supported feature in Windchill anymore

Customer can directly delete the jar from the Windchill codebase. There are no functional impacts

To Remove:
Navigate to following directory and delete the AdapterToolkit.jar $(wt.home)\srclib\dpinfra\
Creo Packages ClientNo exploitable pathIt is recommended to move the new Windchill 12.0.2.3 (CPS Release Calendarrelease once it becomes available and perform fresh bootstrap by deleting existing bootstrap directory inside WPC_HOME

The file, "log4j-core.jar" located at <WT_HOME>/codebase/lib/log4j-core.jar is not used by Windchill but used by Creo Packages Client.  When Creo Packages Client is configured to work with Windchill, this "log4j-core.jar" present at <WT_HOME>/codebase/lib/logj4-core.jar will be deployed on Creo Packages Client installation.

If not using Creo Packages Client, then this jar can be deleted


For existing deployments of Creo Packages Client for the impacted Windchill version, follow this workaround to mitigate issue:
  • Browse to the WPC_HOME/bootstrap folder
  • Browse to bootstrapped directory location.  Sample location:
    • WPC_HOME/bootstrap/<host.port>/Windchill/[protocolAuth]/lib
      • <host.port> - Windchill host and port.  Note: if port 80 is used, then only hostname will be present in directory
      • [protocolAuth] - An optional directory exists only if protocolAuth is used; otherwise, the path will cinclude only the lib directory
  • Open the log4j-core jar using any Jar utility software which allows you to modify jars.
  • Browse to location - org/apache/logging/log4j/core/lookup and delete JNDILookup.class
  • Now you can resume export and import operation of WPC.
A warning message (below) will be shown here when the WPC command is executed.  This can be ignored as there are no functional impacts related to it:
2021-12-15 02:41:58,389 main WARN JNDI lookup class is not available because this JRE does not support JNDI. JNDI string lookups will not be available, continuing configuration. Ignoring
java.lang.ClassNotFoundException: org.apache.logging.log4j.core.lookup.JndiLookup
Windchill IES ClearCase AdapterImpactedWorkaround for "Windchill IES ClearCase Adapter"
(Applicable for both Windows and Linux based Windchill installations)

Step 1
After documented workaround steps are applied to Windchill (see remediation steps below), manually copy "ie3rdpartylibs.jar" from <WT_HOME>/codebase/WEB-INF/lib/ie3rdpartylibs.jar and replace it inside <WT_HOME>/codebase/downloads/sw_link/cc.zip

Step 2
Reinstall "Windchill IES ClearCase Adapter" following details in "Windchill IES Documentation" found here.
Windchill IES SVN AdapterImpactedWorkaround for "Windchill IES SVN Adapter"
(Applicable for both Windows and Linux based Windchill installations)

Step 1
After documented workaround steps are applied to Windchill (see remediation steps below), manually copy "ie3rdpartylibs.jar" from <WT_HOME>/codebase/WEB-INF/lib/ie3rdpartylibs.jar and replace it inside <WT_HOME>/codebase/downloads/sw_link/svn.zip

Step 2
Reinstall "Windchill IES SVN Adapter" following details in "Windchill IES Documentation" found here.
Windchill Visualization Services (WVS) worker customizations and extensionsNo Direct Exploitable PathWVS optionally allows configuring publishing workers to allow the created visualization files to be stored to the server directly using "Upload To File Server Hook" (see details here ).

Note:
  • Customers on Windchll Releases 12.1.0.0 and 12.0.2.3 already having Apache Log4j 2.17.0 or later (where vulnerable JNDILookup.class is removed) should skip Step 1 and continue to perform Step 2 and Step 3.
  • Customers on other/older impacted releases will still need to perform all the steps as part of mitigation from Step 1 to Step 3

Apply below mitigation to resolve issue with Upload to File Server Hook.

Step 1
Follow the 'Resolution' section for mitigation steps on Windchill server and ensure that the JndiLookup.class is no longer part of the jar <WT_HOME>/codebase/WEB-INF/lib/ie3rdpartylibs.jar.

Step 2
Once step 1 is complete, delete the 'UploadToFileServerHook' directory from:
  • <WT_HOME>/codebase location on Master\Main Windchill server
  • All the worker machine(s) where the UploadToFileServer hook is already configured
Step 3
Follow the steps to again create the 'UploadToFileServerHook' directory content on Windchill server, then copy it onto the necessary worker machines and configure the hook again (see here for additional details)



WVS allows configuring Custom Generic Worker (see details here ).  If custom generic worker is configured at your end and it's wvs.jar contains the JndiLookup.class file, only then apply below mitigation to resolve the issue.

Note:
  • Customers on Windchll Releases 12.1.0.0 and 12.0.2.3 already having Apache Log4j 2.17.0 or later (where vulnerable JNDILookup.class is removed) should skip Step 1 and continue to perform Step 2 and Step 3.
  • Customers on other/older impacted releases will still need to perform all the steps as part of mitigation from Step 1 to Step 3


Step 1
Follow the 'Resolution' section for mitigation steps on Windchill server and ensure that the JndiLookup.class is no longer part of the jar <WT_HOME>/codebase/WEB-INF/lib/ie3rdpartylibs.jar

Step 2
Once Step 1 is complete, delete the wvs.jar file from <WT_HOME>/codebase location on Windchill server

Step 3
Follow the steps to again create the wvs.jar file on Windchill server (see here for more details).

Now, stop all the custom generic workers to take them offline, copy the wvs.jar created in Step 3 above onto the necessary custom generic working machines.  Then reload the workers from Windchill's worker agent administration wizard.

Impacts to 3rd Party Bundled Components:
 
  • While earlier Windchill releases (prior to 12.0.2.0) may not include the vulnerable log4j version, supported 3rd party bundled components may still be vulnerable.
  • The Windchill impact analysis includes review of the following 3rd party bundled components:
Solr
Cognos
Tibco
  • PTC is working with each specific vendor to determine impact, exploitability, and recommended actions.  In addition, internal investigations are in progress to determine any possible interim steps to mitigate the security risk.
  • Refer to the table below (Resolution Section) for the latest updates for each 3rd Party Compnent.
Impacts to Integrated PTC Applications/Solutions:
  • FlexPLM – Recommended actions should be followed.  Any additional considerations will be provided when/if they become available.
  • Navigate/ThingWorx – CS359107
  • Ping Federate - CS358902
  • Wincom - Not affected
Additional locations in Windchill Codebase where Log4j 2.x is found:
There are additional locations in the Windchill codebase where log4j2.x is included.  The use of log4j in these locations is not exploitable.  However, for customers who require all log4j instances to be up to date to meet security requirements, additional steps may be needed to remove log4j in these locations:
Refer to table at end of article for a list of known locations and recommended actions
 
This is a PDF version of Article CS358789 and may be out of date. For the latest version click https://www.ptc.com/en/support/article/CS358789