Article - CS359008

Apache Log4j 2.x Security Vulnerability Impact on TIBCO (Windchill)

Modified: 06-Jan-2022   


Applies To

  • Windchill PDMLink 11.1 M020
  • Windchill PDMLink 11.2.1.0
  • Windchill PDMLink 12.0.2.0
  • Windchill PDMLink 11.0 M030

Description

Last Update:  1/6/2022  8:00PM EST (see version history below)

A critical zero-day vulnerability has been reported in the 3rd party library log4j.  This article has been created to help provide customers with information and recommended actions related to Tibco products, as 3rd party supported integrated solution for Windchill. 


The investigation and analysis is on-going.  As new vulnerabilities in Apache Log4j are reported or new recommended mitigations are identified, this article will be updated.  Check back regularly for additional updates to ensure you have the latest details.

CVE-2021-44228
Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

An additional less critical vulnerability has also been reported which is related to the above CVE.  It is recommended to address this on priority as well
.
CVE-2021-45046

Vulnerable Apache Log4j versions for above CVEs:  All versions from 2.0-beta9 to 2.15.0

The following CVE was reported by Apache against Log4j 2.16:
CVE-2021-45105
Base CVSS Score: 7.5    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.16

The following CVE was reported by Apache against Log4j 2.16:
CVE-2021-44832
Base CVSS Score: 6.6   CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.17.0

Refer to Apache article for more details:
https://logging.apache.org/log4j/2.x/security.html

Version History Updates:
Date & Time of UpdateComments
12/14/2021 5:00 PM ESTInitial Content
12/15/2021 6:00 PM ESTUpdated to include CVE-2021-45046 and clarity on provided workaround
12/16/2021 4:00PMRemoved PTC POC workaround notes, not endorsed by Tibco
12/20/2021 6:00PM ESTAdded CVE-2021-45105
Added Tibco Hotfix01 Remediation Steps
12/23/2021 1:00PM EST

Updated to include CVE-2021-45046
Updated table description

12/29/2021 1:00PM ESTUpdated to include CVE-2021-44832
Updated to include Windchill 11.0 M030
1/6/2022Added analysis from Tibco for CVE-2021-44832
This is a PDF version of Article CS359008 and may be out of date. For the latest version click https://www.ptc.com/en/support/article/CS359008