Article - CS359009

Apache Log4J 1.x Security Vulnerabilities (CVE-2021-4104, CVE-2019-17571, CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307) – Impact on Windchill PLM & FLexPLM

Modified: 28-Apr-2022   


Applies To

  • Windchill PDMLink 11.1 M020
  • Windchill PDMLink 11.2.1.0
  • FlexPLM 11.1 M010 to M020
  • FlexPLM 11.2.1.0
  • FlexPLM 12.0.0.0
  • Windchill PDMLink 11.0 M030
  • FlexPLM 11.0 M030

Description

Multiple CVEs have been reported against Apache Log4j 1.x.  As it is known to be out of support, analysis and justification is provided to confirm known impacts to Windchill PLM.

The product releases specified above in the 'Applies To' area all include the log4j1.2.17 version.

Vulnerable Apache Log4j versions for the identified CVEs: All 1.2.X versions up to 1.2.17

CVE-2021-4104
In Log4j 1.x the JMSAppender will perform a JNDI lookup if enabled in log4j’s configuration file.  Applications using Log4j 1.x may be impacted if their configuration uses JNDI (JMSAppender).

Base CVSS Score: 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Red Hat identified RHSB-2021-009 (CVE-2021-4104)
https://access.redhat.com/security/cve/CVE-2021-4104

Redhat Bugzilla Article includes additional details:
A flaw was found in the Java logging library Apache Log4j in version 1.x . This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender.

CVE-2021-4104 only affects Log4j 1.2 when product is specifically configured to use JMSAppender, which is not the the OOTB configuration for Windchill.

CVE-2019-17571
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.

Base CVSS Score:9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • The usage of SocketServer/SimpleSocketServer vulnerable classes comes into picture as a capability of Log4J’s SocketAppender that sends LoggingEvent objects to a remote a log server, usually a SocketNode. The SocketNode reads LoggingEvent objects sent from a remote client using Sockets (TCP). These logging events are logged according to local policy, as if they were generated locally. The SocketAppenders ships a serialized LoggingEvent object without any layout to the server side. On the remote host by deserializing you'll have access to all the same information and should be able to specify the layout that the logs are printed in.
  • The log4j capability to access remote logs thru its SocketServer class (where the vulnerability exist) is not enabled in Windchill OOTB and there is no such call from the Windchill codebase.  Furthermore, there is no Windchill documentation that mentions enable/run the capability.
CVE-2019-17571 only affects if Log4j uses its features to access remote logs through its SocketServer class, Which is neither enabled in OOTB configuration for Windchill nor is called from codebase.

CVE-2022-23302
Base Score: 8.8 Vector:  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerable Apache Log4j versions: 1.x
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to.  The attacker can provide a TopicConnectionFactorBinderingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104.
Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default.
Redhat Article includes details:
A flaw was found in the Java logging library Apache Log4j in version 1.x.  This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSSink.

CVE-2022-23305
Base Score: 9.8 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerable Apache Log4j versions: 1.2.x
CVE reads that the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout.  The message converter, %m, is likely to always be included.  This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.
This CVE ONLY affects applications which use Log4j 1.2.x and are specifically configured to use JDBCAppender, which is not the OOTB configuration for Windchill.

CVE-2022-23307
Base Score: 9.8 Vector: CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerable Apache Log4j versions: 1.2.x
There is a deserialization problem in Chainsaw, the log viewer in Log4j 1.2.x, which may cause arbitrary code execution.  The vulnerability was previously named CVE-2020-9493, and the official Apache Chainsaw 2.1.0 version has been released to fix it.  Log4j is not configured to use Chainsaw by default.
As per Redhat , a flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution.
This CVE only affects applications use Chainsaw and it's features to listen for LoggingEvent objects sent using SocketAppender, which is neither enabled in OOTB Windchill Configuration nor called from the Windchill Codebase.

Additional Note:
It has been confirmed that Log4j 1.x does not suffer from CVE-2021-44228 reported against Log4j 2.x. Refer to CS358789
 
Windchill ReleaseApache Log4j versionAdditional Information
11.0 M030log4j 1.xImmediate Action Strongly Recommended (see Resolution section for PTC reccommendations)
11.1 M020 and earlier
11.2.1

FlexPLM 11.1 M010
FlexPLM 11.1 M020
FlexPLM 11.2.1
FlexPLM 12.0.0
log4j 1.xImmediate Action Strongly Recommended (see Resolution section for PTC recommendations)

Impacts to 3rd Party Bundled Components:
  • Supported 3rd party bundled components may be vulnerable as well
    • Solr
    • Cognos
    • Tibco
  • PTC is working with each specific vendor to determine impact, exploitability, and recommended actions.  In addition, internal investigations are in progress to determine any possible interim steps to mitigate the security risk.
  • Refer to the table below (Resolution Section) for the latest updates for each 3rd Party Component.
Impacts to Integrated PTC Applications/Solutions associated to Log4j 1.x:
  • FlexPLM – Recommended actions should be followed.  Any additional considerations will be provided when/if they become available.
  • Navigate/ThingWorxCS359107
  • Ping Federate -  Under analysis
  • Wincom – There is and has never been direct active use of log4j v1 in any extension. The library was included to satisfy a dependency in the code.  Analysis has confirmed that there is no attack surface or known exploitation.  The log4j 1.x references were removed in Windchill Extension Platform 1.11.2, but it is recommended to move to the latest available release 1.12.2 which is available from windchill-extensions.ptc.com.
This is a PDF version of Article CS359009 and may be out of date. For the latest version click https://www.ptc.com/en/support/article/CS359009