Article - CS359107

ThingWorx Navigate Apache log4j vulnerability - Incident Response

Modified: 23-Dec-2021   


Applies To

  • ThingWorx Navigate 9.0
  • ThingWorx Navigate 9.1
  • ThingWorx Navigate 9.2

Description

  • Log4j 1.x (Incident CVE-2021-4104)
    • While the Navigate runtime application itself does not use log4j 1.x and therefore is not vulnerable, Navigate runs on ThingWorx. Please review the recommendations for ThingWorx at ThingWorx Apache log4j vulnerability - Incident Response
    • ThingWorx Navigate installer tools leverages log4j 1.x , but does not have the JMSAppender configured. Therefore, according to CVE-2021-4104, ThingWorx Navigate is not vulnerable, but out of an abundance of caution, we are recommending completely removing the impacted class
    • ThingWorx Navigate installer tool is using log4j version 1.2.17
    • Log4j 1.2.17 is present in Navigate 9.0, 9.1, & 9.2 installer files
  • Log4j 2.x (Incidents CVE-2021-44228 & CVE-2021-45046)
    • While the Navigate runtime application itself does not use log4j 2.x therefore is not vulnerable, Navigate runs on ThingWorx. Please review the recommendations for ThingWorx at ThingWorx Apache log4j vulnerability - Incident Response
    •   Navigate configuration tool leverages log4j 2.x.  If you have already installed ThingWorx Navigate, the log4j libraries are present on disk but not utilized by the runtime application
    • ThingWorx Navigate configuration tool is using log4j version 2.13.3 and Navigate is recommending implementing the Apache proposed remediation that completely removes the impacted class.
    •  Log4j 2.13.3 is present in Navigate 9.1 & 9.2 configuration tool files
  • Log4j 1.x (Incident CVE-2019-17571)
    • While the Navigate runtime application itself does not use log4j 1.x and therefore is not vulnerable, Navigate runs on ThingWorx. Please review the recommendations for ThingWorx at ThingWorx Apache log4j vulnerability - Incident Response
    • ThingWorx Navigate installer tools leverages log4j 1.x , but does not enable access to remote logs through its SocketServer class (where the vulnerability exists). Since there are no uses of the SocketServer/SimpleSocketServer class, it is determined that Navigate is not impacted by CVE-2019-17571
This is a PDF version of Article CS359107 and may be out of date. For the latest version click https://www.ptc.com/en/support/article/cs359107