The following Apache or IIS HTTP Server configuration updates should be IMMEDIATELY applied to all your Windchill or FlexPLM systems, v 11.0 or higher (for older versions, see the bottom of these instructions):
- Customers using Apache HTTP Server should only follow “Apache HTTP Server Configuration – Workaround Steps” section steps.
- Customers using Microsoft IIS should only follow “IIS Configuration – Workaround Steps” section steps.
- Importantly, the same mitigation steps must also be applied on File Server / Replica Server configurations where applicable
Apache HTTP Server Configuration – Workaround Steps:
- Create a new Apache configuration file:
<APACHE_HOME>/conf/conf.d/91-app-Windchill-Auth.conf - Add the following to the body of this new configuration file:
<LocationMatch "^.*servlet/(WindchillGW|WindchillAuthGW)/wt\.wrmf\.transport\.httptransport\.ReconnectedHttpURLCon(?:;[^/]*)?/.*$">
Require all denied
</LocationMatch> - Be sure to save the new configuration file.
NOTE: This configuration file name sequence number must be within the 90–99 range. If sequence number 91 is already in use choose a higher sequence number for the configuration file name.
- Restart Apache HTTP Server for changes to take effect:
Linux:
apachectl stop
apachectl startWindows (Service):
Open Services
Stop Apache HTTP Server
Start Apache HTTP Server
IIS Configuration – Workaround Steps:
Note: First, confirm you have successfully implemented the workaround for the critical RCE vulnerability documented in CS466318
- Check if URL Rewrite module is available in IIS Web Server. If not available, please follow steps 2 through 5; else, jump to step 4.
- Download “url-rewrite” binary from https://www.iis.net/downloads/microsoft/url-rewrite.
- Install the downloaded binary using PowerShell with the command below. Ensure you run the command with the exact location of the downloaded binary.
Command:Start-Process msiexec.exe -ArgumentList "/i <location of binary> /quiet" -Wait
Example:Start-Process msiexec.exe -ArgumentList "/i C:\Users\windchill\Downloads\rewrite_amd64_en-US.msi /quiet" -Wait - Edit <WT_HOME>\web.config and add below configuration rewrite rule as a first tag in <system.webServer> tag and save the file.
<rewrite>
<rule name="Block Windchill ReconnectedHttpURLCon Servlet" stopProcessing="true">
<match url="^.*servlet/(WindchillGW|WindchillAuthGW)/wt\.wrmf\.transport\.httptransport\.ReconnectedHttpURLCon(;[^/]*)?/.*$" ignoreCase="true" />
<action type="CustomResponse"
statusCode="403"
statusReason="Forbidden"
statusDescription="Access Denied" />
</rule>
</rewrite>Be sure to confirm the file web.config file is properly updated with the changes.
- Restart IIS web server with below command from PowerShell:
iisreset - Close and relaunch IIS manager UI to check if the URL rewrite rule is in place
Click on Site—>URL Rewrite—>The URL Rewrite rule should appear in the list.
Windchill and FlexPLM Releases Prior to 11.0 M030
For Windchill and FlexPLM releases prior to 11.0 M030, it is important to note that the primary means of lowering your risk is to ensure that your system is not connected to the Internet, which significantly reduces exposure.
For guidance on a potential work around for this attack vector, please refer to CS466867.
