Applications using Log4j 1.x may be impacted if their configuration uses JNDI (JMSAppender).īase CVSS Score: 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H In Log4j 1.x the JMSAppender will perform a JNDI lookup if enabled in log4j’s configuration file. Vulnerable Apache Log4j versions for the identified CVEs: All 1.2.X versions up to 1.2.17 The product releases specified above in the 'Applies To' area all include the log4j1.2.17 version. As it is known to be out of support, analysis and justification is provided to confirm known impacts to Windchill PLM. The use of log4j in these locations is not exploitable.Multiple CVEs have been reported against Apache Log4j 1.x.There are additional locations in the Windchill codebase where log4j2.x is included.Refer to the Shibboleth Announcement for further detailsĪdditional locations in Windchill Codebase where Log4j 2.x is found: Any additional considerations will be provided when/if they become available. FlexPLM - Recommended actions should be followed.IMPACT TO INTEGRATED PTC APPLICATIONS/SOLUTIONS: Refer to the table below (Resolution Section) for the latest updates for each 3rd Party Component.The Windchill impact analysis includes review of the following 3rd party bundled components:.While earlier Windchill releases (prior to 12.0.2.0) may not include the vulnerable log4j version, supported 3rd party bundled components may still be vulnerable.Impacts to 3rd Party Bundled Components:.Please see resolution for information on Additional Windchill Components.Additional analysis has been done form Windchill components to identify any impact or risk.Immediate Action Strongly Recommended – Workaround (see Resolution section for specific steps) * PTC continuously monitors and analyzes supported Windchill releases for any reported critical or high CVE. Refer to Article CS359009 for more information ( see below for impacts related to supported 3rd party bundled components that integrate directly with Windchill) Windchill includes the log4j library for native logging capabilities.This includes updating all Windchill file servers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |