As you may know, Heartbleed is a serious exploitation of OpenSSL. It became public April 7, 2014. Windchill customers are most likely using OpenSSL as part of their secure web encryption. The good news is the version of OpenSSL that we ship with PTC-supplied versions of Apache for Windchill (0.9.8) is not affected by this vulnerability.

If you are using your own build of Apache, or another webserver not supplied by PTC, please check immediately to see if you need to update OpenSSL to 1.0.1g (or check with your vendor).

Details:

  • PTC supplied Apache builds for Windchill ARE NOT affected by Heartbleed
  • The Heartbleed vulnerability (CVE-2014-0160 ) only affects OpenSSL 1.0.1 prior to 1.0.1g
  • Windchill provides Apache 2.2 which uses the OpenSSL 0.9.8 family
  • Customers that have deployed non-PTC supplied webservers and other applications that use OpenSSL should check with those vendors
  • Customers that have deployed non-PTC versions of Apache web server that use OpenSSL 1.0.1 should upgrade OpenSSL to 1.0.1g immediately.
  • For additional information, please see
    Heartbleed
    MITRE CVE-2014-0160
    OpenSSL

If you have follow-up questions, please contact us, or you can open a security vulnerability case directly using the PTC eSupport portal.

Currently we are still determining vulnerability of other products. We will keep you posted on our findings.