Article - CS358789
Apache Log4j 2.x Security Vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832) - Impact on Windchill and FlexPLM
Modified: 22-Dec-2022
Applies To
- Windchill PDMLink 11.0 M030
- FlexPLM 11.0 M030
- FlexPLM 11.1 M010
- FlexPLM 11.1 M020
- Windchill PDMLink 11.1 M020
- Windchill PDMLink 11.2.1.0
- FlexPLM 11.2.1.0
- FlexPLM 12.0.0.0
- FlexPLM 12.0.2.0
- Windchill PDMLink 12.1.0.0
- Windchill PDMLink 12.0.2.0
Description
A critical zero-day vulnerability has been reported in the 3rd party library log4j.
This article has been created to provide customers with information and recommended actions.
Analysis and investigation is on-going:
This article has been created to provide customers with information and recommended actions.
Analysis and investigation is on-going:
- Check this article regularly for additional updates to ensure you have the latest details.
- CVE-2021-44228
Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - The following vulnerability has also been reported which is related to the above CVE. It is recommended to also address on priority.
CVE-2021-45046
Base CVSS Score: 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerable Apache log4j versions for the CVEs above: all versions from 2.0-beta9 to 2.15.0 - The following CVE was reported by Apache against log4j versions 2.0-beta9 to 2.16:
CVE-2021-45105
Base CVSS Score:7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerable Apache Log4j versions for the CVE: 2.0-beta7 to 2.16 - The following CVE was reported by Apache against Log4j 2.17:
CVE-2021-44832
Base CVSS Score:6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Vulnerable Apache Log4j versions for the CVE:2.0-beta7 to 2.17.0
- Refer to Apache article for more details :
https://logging.apache.org/log4j/2.x/security.html
IMPORTANT NOTE:
- Due to the criticality of this reported vulnerability, PTC STRONGLY RECOMMENDS taking IMMEDIATE action to ensure all impacted Windchill instances are secure.
- There are no known exploits reported for Windchill at this time.
Investigation is on-going to identify any potential attack surface.
- All instances (dev, test and prod) are impacted and any Windchill deployment of the impacted releases should be updated as per recommendations below. This includes updating all Windchill file servers.
IMPACT ON WINDCHILL RELEASES:
- Windchill includes the log4j library for native logging capabilities. (see below for impacts related to supported 3rd party bundled components that integrate directly with Windchill)
| Windchill Release | Apache Log4j version | Additional Information |
| 11.0 M030 | log4j 1.x | Not vulnerable. Refer to Article CS359009 for more information * PTC continuously monitors and analyzes supported Windchill releases for any reported critical or high CVE. |
11.1 M020 and earlier 11.2.1 FlexPLM 11.1 M010 FlexPLM 11.1 M020 FlexPLM 11.2.1 FlexPLM 12.0.0 | log4j 1.x | Not vulnerable. Refer to Article |
This is a printer-friendly version of Article 358789 and may be out of date. For the latest version click CS358789