기술 문서 - CS359107
ThingWorx Navigate Apache log4j vulnerability - Incident Response
수정한 날짜: 23-Dec-2021
적용 대상
- ThingWorx Navigate 9.2
- ThingWorx Navigate 9.0
- ThingWorx Navigate 9.1
설명
- Log4j 1.x (Incident CVE-2021-4104)
- While the Navigate runtime application itself does not use log4j 1.x and therefore is not vulnerable, Navigate runs on ThingWorx. Please review the recommendations for ThingWorx at ThingWorx Apache log4j vulnerability - Incident Response
- ThingWorx Navigate installer tools leverages log4j 1.x , but does not have the JMSAppender configured. Therefore, according to CVE-2021-4104, ThingWorx Navigate is not vulnerable, but out of an abundance of caution, we are recommending completely removing the impacted class
- ThingWorx Navigate installer tool is using log4j version 1.2.17
- Log4j 1.2.17 is present in Navigate 9.0, 9.1, & 9.2 installer files
- Log4j 2.x (Incidents CVE-2021-44228 & CVE-2021-45046)
- While the Navigate runtime application itself does not use log4j 2.x therefore is not vulnerable, Navigate runs on ThingWorx. Please review the recommendations for ThingWorx at ThingWorx Apache log4j vulnerability - Incident Response
- Navigate configuration tool leverages log4j 2.x. If you have already installed ThingWorx Navigate, the log4j libraries are present on disk but not utilized by the runtime application
- ThingWorx Navigate configuration tool is using log4j version 2.13.3 and Navigate is recommending implementing the Apache proposed remediation that completely removes the impacted class.
- Log4j 2.13.3 is present in Navigate 9.1 & 9.2 configuration tool files
- Log4j 1.x (Incident CVE-2019-17571)
- While the Navigate runtime application itself does not use log4j 1.x and therefore is not vulnerable, Navigate runs on ThingWorx. Please review the recommendations for ThingWorx at ThingWorx Apache log4j vulnerability - Incident Response
- ThingWorx Navigate installer tools leverages log4j 1.x , but does not enable access to remote logs through its SocketServer class (where the vulnerability exists). Since there are no uses of the SocketServer/SimpleSocketServer class, it is determined that Navigate is not impacted by CVE-2019-17571
이는 기술 문서 359107의 PDF 버전이며, 구 버전일 수 있습니다. 최신 버전 CS359107