A flaw in Log4j, a Java library for logging error messages in applications, is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10.
The Log4j library is developed by the open-source Apache Software Foundation and is a key Java-logging framework. Since last week’s alert by CERT New Zealand that CVE-2021-44228, a remote code execution flaw in Log4j, was already being exploited in the wild, warnings have been issued by several national cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA).
Looking for help?
Affected Windchill versions that need immediate action:
- Windchill 188.8.131.52
- Windchill 184.108.40.206
- Windchill 220.127.116.11
Windchill 11.1 M020 and older versions are not affected by the recently found Log4j security vulnerability and no action is required.
Affected Navigate versions that need immediate action:
- ThingWorx Navigate 9.1
- ThingWorx Navigate 9.2
The following Windchill versions are affected by SOLR installation:
|WINDCHILL VERSION||SOLR VERSION||LOG4J VERSION TO REMOVE|
|Windchill 11.1 M020 CPS20 through CPS22||8.9.0||2.13.2|
|Windchill 11.1 M020 CPS18 through CPS19||8.8.1|
|Windchill 11.1 M020 CPS15 through CPS17||8.6.1|
|Windchill 11.1 M020 CPS12 through CPS14||8.4.1||2.11.2|
|Windchill 11.1 M020 CPS10 through CPS11||8.2.0|
|Windchill 11.1 M020 CPS03 through CPS09||7.6.0||2.11.0|
|Windchill 11.1 M020 F000 through CPS02||7.4.0|
|Windchill 18.104.22.168 through 22.214.171.124||8.9.0|
Ongoing updates from PTC
PTC has provided an “living” landing page for customers wanting more information:
Additional articles with more details and step-by-step instructions to remediate the vulnerability: