Article - CS378340
ThingWorx 9.3.x High Availablility requires Ignite 2.11 which is vulnerable to exploits via Log4j
Modified: 22-Mar-2024
Applies To
- ThingWorx Platform 9.3 F000 to SP14
Description
- ThingWorx 9.3.x until 9.3.14 requires Ignite 2.11.0 which is vulnerable to Log4j CVEs: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105
- Downloaded and implemented ThingWorx Ignite DockerFiles and found that they contain Ignite 2.11 which is vulnerable to log4j exploits
- ThingWorx DockerFiles contain a version of Ignite which leverages exploited versions of Log4j 2
- Are ThingWorx DockerFiles 3.10 and lower impacted by Log4j?
- ThingWorx Ignite DockerFiles 3.10 and lower implements Ignite 2.11 which is impacted by the following CVEs:
- CVE-2021-44228
- CVE-2021-45046
- CVE-2021-45105
- Downloaded MED-61353-CD-093_SP4_ThingWorx-Ignite-DockerFiles-3-10.tar.gz from the PTC Support Portal and found that the files are vulnerable to the Log4j 2 issue
- The following downloads from the PTC Support Portal seem to include Ignite 2.11 which can be exploited by the Log4j 2 exploits:
- ThingWorx-Ignite-DockerFiles-3-10
- MED-61353-CD-093_SP4_ThingWorx-Ignite-DockerFiles-3-10.tar.gz
- ThingWorx-Ignite-DockerFiles-3-9
- MED-61353-CD-093_F000_ThingWorx-Ignite-DockerFiles-3-9.tar.gz
- ThingWorx-Ignite-DockerFiles-3-10
This is a printer-friendly version of Article 378340 and may be out of date. For the latest version click CS378340