Article - CS359011
Apache Log4j 2.x Security Vulnerability Impact on Solr (Windchill)
Modified: 05-Jan-2024
Applies To
- Windchill PDMLink 12.0.2.0 to 12.0.2.4
- Windchill PDMLink 12.0.2.0 to 12.0.2.4
- Windchill PDMLink 11.0 M030
- Windchill PDMLink 11.1 M020
- Windchill PDMLink 11.2.1.0
- Windchill PDMLink 12.0.2.0
Description
Last Update: 1/19/2022 4:00PM EST (see version history below)
A critical zero-day vulnerability has been reported in the 3rd party library log4j. This article has been created to provide customers with information and recommended actions related to Solr, as a 3rd party supported integrated product with Windchill.
The analysis and investigation are on-going. As new vulnerabilities in Apache log4j are reported or new recommended mitigations are identified, this article will be updated. Check this article regularly for additional updates to ensure you have the latest details.
CVE-2021-44228
Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
The following vulnerability has been reported which is related to the above CVE; however, it is recommended to also address on priority.
CVE-2021-45046
Base CVSS Score:9.0 CVS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerable Apache log4j versions for the CVEs above: all versions from 2.0-beta9 to 2.15.0
The following CVE was reported by Apache against log4j versions 2.0-beta to 2.16:
CVE-2021-45105
Base CVSS Score:7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
The following CVE was reported by Apache against Log4j 2.17:
CVE-2021-44832
Base CVSS Score:6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.17.0
Refer to Apache article for more details:
https://logging.apache.org/log4j/2.x/security.html
Version History Updates:
A critical zero-day vulnerability has been reported in the 3rd party library log4j. This article has been created to provide customers with information and recommended actions related to Solr, as a 3rd party supported integrated product with Windchill.
The analysis and investigation are on-going. As new vulnerabilities in Apache log4j are reported or new recommended mitigations are identified, this article will be updated. Check this article regularly for additional updates to ensure you have the latest details.
CVE-2021-44228
Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
The following vulnerability has been reported which is related to the above CVE; however, it is recommended to also address on priority.
CVE-2021-45046
Base CVSS Score:9.0 CVS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerable Apache log4j versions for the CVEs above: all versions from 2.0-beta9 to 2.15.0
The following CVE was reported by Apache against log4j versions 2.0-beta to 2.16:
CVE-2021-45105
Base CVSS Score:7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
The following CVE was reported by Apache against Log4j 2.17:
CVE-2021-44832
Base CVSS Score:6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.17.0
Refer to Apache article for more details:
https://logging.apache.org/log4j/2.x/security.html
Version History Updates:
Date & Time of Update | Comments |
12/14/2021 6:00 PM EST | Initial Content |
12/15/2021 6:00 PM EST | Updated to include CVE-2021-45046 and clarity on provided workaround |
12/16/20121 4:00PM EST | Update Resolution with new recomended workaround and additional version details |
12/20/2021 | Added CVE-2021-45105 Added note for Prometheus Exporter Updated workaround steps to address questions |
12/21/2021 | General spelling and wording updates Clarification for step 3 in resolution for both Standalone and Cloud mode |
12/22/2021 | Clarified note for Prometheus Exporter of Solr |
12/23/2021 | Added CVE-2021-45105 remediation information |
12/29/2021 | Updated to include CVE-2021-44832 Updated to include Windchill 11.0 M030 |
1/3/2022 | Corrected typos in text/hyperlinks |
1/5/2022 | Clarified upgrade steps for both standalone and cloud mode |
1/7/2022 | Updated analysis from Lucidworks for CVE-2021-44832 |
1/10/2022 | Clarified upgrade steps for standalone mode |
1/19/2022 | Added clarification for Solr impact |
2/11/2022 | Added details for 12.0.2 CPS releases |
3/8/2022 | Added details for upcoming Windchill CPS releases updating to Solr 8.11.1 which includes Log4j 2.16.0. |
This is a printer-friendly version of Article 359011 and may be out of date. For the latest version click CS359011