ThingWorx Apache log4j vulnerability - Incident Response
- ThingWorx Platform 8.1 to 8.5
- ThingWorx Platform 9.0
- ThingWorx Platform 9.1
- ThingWorx Platform 9.2
- ThingWorx Analytics 8.5
- ThingWorx Analytics 9.0
- ThingWorx Analytics 9.1
- ThingWorx Analytics 9.2
- And all currently supported versions
- Customer alert and recommendations for remediation of the Apache log4j identified vulnerability CVE-2021-44228. This vulnerability is in a third party library that PTC Software uses for logging of application errors, events and associated information. The vulnerability if exploited allows for remote and potentially malicious code execution on your environments.
- This vulnerability will be fixed in maintenance versions of ThingWorx platform versions including 8.5, 9.0, 9.1, 9.2 by updating the log4j library OR removing its usage from our software.
- In the interim, there may be configuration settings which will remove the vulnerability and this is recommended to be applied immediately to your PTC ThingWorx installations and components identified in this article.
- Please note PTC does not hold responsibility for 3rd party use of Log4J in custom solutions which will still require remediation. This applies to all listed items in the ThingWorx Product Suite.
Log4j 2.x has reported following vulnerabilities:
Log4j 1.x has reported following vulnerabilities: