Article - CS358990

PTC Axeda Products Apache log4j vulnerability - Incident Response

Modified: 03-Feb-2022   


Applies To

  • Axeda - Platform 6.9.2

Description

  • Customer alert and recommendations for remediation of the Apache log4j identified vulnerabilities CVE-2021-44228, CVE-2021-45105, CVE-2021-4104, CVE-2019-17571 and CVE-2021-44832
  • This vulnerability is in a third party library that PTC Software uses for logging of application errors, events and associated information
  • The vulnerability if exploited allows for remote and potentially malicious code execution on your environments
  • In the interim, there may be configuration settings which will remove the vulnerability and this is recommended to be applied immediately to your PTC Axeda installations and components identified in this article
  • Log4j 2.x has reported following vulnerabilities:
    • CVE-2021-44228:
      • Description: Log4j JNDI features, do not protect against attacker controlled LDAP and other JNDI endpoints
    • CVE-2021-45105:
      • Description: Log4j 2.x did not protect from uncontrolled recursion from self-referential lookups,  cause a denial of service(DoS)
    • CVE-2021-44832:
      • Description: An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
  • Log4j 1.x has reported following vulnerabilities:
    • CVE-2021-4104 :
      • Description: JMSAppender configuration along with TopicBindingName, TopicConnectionFactoryBindingName causes deserialization of untrusted data, that result in remote code execution(RCE)
    • CVE-2019-17571 :
      • Description: SocketServer class that is vulnerable to deserialization of untrusted data, can cause remote code execution(RCE)
    • CVE-2022-23302:
      • Description: JMSSink deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104
    • CVE 2022-23305: 
      • Description: JDBCAppender allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.
    • CVE-2022-23307
      • ​​​​​​​Description: A deserialization issue that was present in Apache Chainsaw (org.apache.log4j.chainsaw.*)
This is a PDF version of Article CS358990 and may be out of date. For the latest version click https://www.ptc.com/en/support/article/CS358990