Article - CS358789

Apache Log4j 2.x Security Vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832) - Impact on Windchill and FlexPLM

Modified: 22-Dec-2022   


Applies To

  • Windchill PDMLink 11.0 M030
  • FlexPLM 11.0 M030
  • FlexPLM 11.1 M010
  • FlexPLM 11.1 M020
  • Windchill PDMLink 11.1 M020
  • Windchill PDMLink 11.2.1.0
  • FlexPLM 11.2.1.0
  • FlexPLM 12.0.0.0
  • FlexPLM 12.0.2.0
  • Windchill PDMLink 12.1.0.0
  • Windchill PDMLink 12.0.2.0

Description

A critical zero-day vulnerability has been reported in the 3rd party library log4j.
This article has been created to provide customers with information and recommended actions.
Analysis and investigation is on-going:
  • Check this article regularly for additional updates to ensure you have the latest details.
Currently, following vulnerabilities are known:
  • CVE-2021-44228
    Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • The following vulnerability has also been reported which is related to the above CVE. It is recommended to also address on priority.
    CVE-2021-45046

    Base CVSS Score: 9.0  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    Vulnerable Apache log4j versions for the CVEs above: all versions from 2.0-beta9 to 2.15.0
  • The following CVE was reported by Apache against log4j versions 2.0-beta9 to 2.16:
    CVE-2021-45105
    Base CVSS Score:7.5   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.16
  • The following CVE was reported by Apache against Log4j 2.17:
    CVE-2021-44832
    Base CVSS Score:6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
    Vulnerable Apache Log4j versions for the CVE:2.0-beta7 to 2.17.0

 

    IMPORTANT NOTE:

    • Due to the criticality of this reported vulnerability, PTC STRONGLY RECOMMENDS taking IMMEDIATE action to ensure all impacted Windchill instances are secure.
    • There are no known exploits reported for Windchill at this time.
      Investigation is on-going to identify any potential attack surface.
    • All instances (dev, test and prod) are impacted and any Windchill deployment of the impacted releases should be updated as per recommendations below. This includes updating all Windchill file servers.

     

      IMPACT ON WINDCHILL RELEASES:

      • Windchill includes the log4j library for native logging capabilities. (see below for impacts related to supported 3rd party bundled components that integrate directly with Windchill)
      Windchill ReleaseApache Log4j versionAdditional Information
      11.0 M030log4j 1.x
      Not vulnerable.  Refer to Article CS359009  for more information

      * PTC continuously monitors and analyzes supported Windchill releases for any reported critical or high CVE.
       

      11.1 M020 and earlier
      11.2.1

      FlexPLM 11.1 M010
      FlexPLM 11.1 M020
      FlexPLM 11.2.1
      FlexPLM 12.0.0
       
      log4j 1.xNot vulnerable.  Refer to Article CS359009  for more information

      * PTC continuously monitors and analyzes supported Windchill releases for any reported critical or high CVE.

      12.0.2.0
      (CPS01 and CPS02)

      FlexPLM 12.0.2
       
      log4j 2.14.1Immediate Action Strongly Recommended – Workaround (see Resolution section for specific steps)
      12.0.2.3 (CPS03)
      12.1.0.0
      FlexPLM 12.0.2.2
      log4j 2.17.0
      Updated Log4j version 2.17.0
      12.0.2.3 Released on Dec 28, 2021
      12.1.0.0 Released on Dec 30, 2021
       
      12.0.2.4 (CPS04)
      12.1.0.1 (CPS01)
      FlexPLM 12.0.2.3
      log4j 2.17.1
      Updated to log4j 2.17.1

      CPS04 Released on Feb.16, 2022

      CPS01 Released on  Feb. 23rd, 2022
       
         
        • Additional Windchill Components:
        • Additional analysis has been done form Windchill components to identify any impact or risk.
        • Please see resolution for information on Additional Windchill Components.
        • Impacts to 3rd Party Bundled Components:
        • While earlier Windchill releases (prior to 12.0.2.0) may not include the vulnerable log4j version, supported 3rd party bundled components may still be vulnerable.
        • The Windchill impact analysis includes review of the following 3rd party bundled components:
          • Solr
          • Cognos
          • Tibco
        • Refer to the table below (Resolution Section) for the latest updates for each 3rd Party Component.
         

        IMPACT TO INTEGRATED PTC APPLICATIONS/SOLUTIONS:

        • FlexPLM - Recommended actions should be followed.  Any additional considerations will be provided when/if they become available.
        • Navigate/ThingWorxCS359107
        • Ping Federate - CS358902
        • Shibboleth SP - Not affected.  Refer to the Shibboleth Announcement for further details
        • Wincom - Not affected
         

        Additional locations in Windchill Codebase where Log4j 2.x is found:

        • There are additional locations in the Windchill codebase where log4j2.x is included.
        • The use of log4j in these locations is not exploitable. 
        • However, for customers who require all log4j instances to be up to date to meet security requirements, additional steps may be needed to remove log4j in these locations:
        Refer to table at end of article for a list of known locations and recommended actions
         
        This is a printer-friendly version of Article 358789 and may be out of date. For the latest version click CS358789