Article - CS386653

Potential Impact of Apache HTTP Server (2.4 to 2.4.54) security vulnerability (CVE-2022-36760) in Windchill PDMLink & FlexPLM

Modified: 03-May-2023   


Applies To

  • FlexPLM 11.1 M020
  • FlexPLM 12.0.2.0
  • FlexPLM 12.1.2.0
  • FlexPLM 12.0.3.0
  • Windchill PDMLink 12.0.2.0
  • Windchill PDMLink 12.1.1.0
  • Windchill PDMLink 12.1.2.0
  • Pro/INTRALINK 8.x + 11.1 to 11.2
  • Windchill PDM Essentials 11.1
  • Windchill ProjectLink 11.1 to 12.1
  • PTC Arbortext Content Manager 11.1 to 12.1
  • Windchill PDMLink 11.0

Description

  • A critical CVE-2022-36760 is reported on Apache HTTP Server version 2.4 to 2.4.54
  • CVE-2022-36760
    • Base CVSS Score (NVD) – 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    • Possible HTTP request smuggling
    • CWE 444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
  • Potential impact of this issue in Windchill & FlexPLM is subject to specific configurations (Refer to Resolution section for more details)
  • This article has been created to provide information and recommended actions
  • Refer to PTC article CS385055 for details regarding additional vulnerabilities also fixed in Apache HTTPServer 2.4.55
  • Refer to Apache website reference for more details : Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project
  • Does Windchill system use mod_proxy_ajp? Is it possible to disable AJP Connector
This is a printer-friendly version of Article 386653 and may be out of date. For the latest version click CS386653