Article - CS358901

ThingWorx Apache log4j vulnerability - Incident Response

Modified: 06-May-2024   

Applies To

  • ThingWorx Platform 8.1 to 9.4
  • ThingWorx Analytics 8.5 to 9.4
  • And all currently supported versions


  • Customer alert and recommendations for remediation of the Apache log4j identified vulnerability CVE-2021-44228. This vulnerability is in a third party library that PTC Software uses for logging of application errors, events and associated information. The vulnerability if exploited allows for remote and potentially malicious code execution on your environments.
  • This vulnerability will be fixed in maintenance versions of ThingWorx platform versions including 8.5, 9.0, 9.1, 9.2 by updating the log4j library OR removing its usage from our software.
  • In the interim, there may be configuration settings which will remove the vulnerability and this is recommended to be applied immediately to your PTC ThingWorx installations and components identified in this article.
  • Please note PTC does not hold responsibility for 3rd party use of Log4J in custom solutions which will still require remediation. This applies to all listed items in the ThingWorx Product Suite.
  • Log4j 2.x has reported following vulnerabilities:

    • CVE-2021-44228:

      • Description: Log4j JNDI features do not protect against attacker controlled LDAP and other JNDI endpoints.

    • CVE-2021-45105:

      • Description: Log4j 2.x did not protect from uncontrolled recursion from self-referential lookups, cause a denial of service(DoS)

    • CVE-2021-44832:

      • Description: An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

  • Log4j 1.x has reported following vulnerabilities:

    • CVE-2021-4104 :

      • Description: JMSAppender configuration along with TopicBindingName, TopicConnectionFactoryBindingName causes deserialization of untrusted data, that result in remote code execution(RCE)

    • CVE-2019-17571 :

      • Description: SocketServer class that is vulnerable to deserialization of untrusted data, can cause remote code execution(RCE).

This is a printer-friendly version of Article 358901 and may be out of date. For the latest version click CS358901