Hi,
On Friday 09.12.21 a critical vulnerability (Log4Shell - CVE-2021-44228) in the widely used Java library Log4j has been identified. According to the assessment of many authorities, this leads to an extremely critical threat situation, which is why, among others, the Federal Office for Information Security (BSI) in Germany has upgraded its existing cyber security warning to warning level red (see Common Vulnerabilities and Exposures and BSI).
The affected component is also used in some PTV products. This affects both customer installations and the cloud offering of PTV Group.
Concerning further technical questions, please contact your Product Support.
I also recommend to subscribe this topic's stream. I'll respond to it whenever I get infos.
For further details check log4j-latest-information
And: subscribe the product management DEV BLOG!
Thanks to Stephan for the quick statement!
Bernd
Critical vulnerability (Log4Shell) in the Java Log4j
- Bernd Welter
- Site Admin
- Posts: 2584
- Joined: Mon Apr 14, 2014 10:28 am
- Contact:
Critical vulnerability (Log4Shell) in the Java Log4j
Bernd Welter
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
- Bernd Welter
- Site Admin
- Posts: 2584
- Joined: Mon Apr 14, 2014 10:28 am
- Contact:
Re: Critical vulnerability (Log4Shell) in the Java Log4j
Here's another valuable post from the DEVBLOG - thanks to Haba for the quick info
Best regards,
Bernd
Meanwhile I've been asked how to set the environment variable. I fount this post on stack overflow. It offers several approaches:As the PTV xServer API versions 1.34 and 2.x are affected by the critical vulnerability in the Apache Log4j logging framework we work on updates integrating the security update Log4j 2.15.0. We will announce the new on-premise versions here and recommend to use them as soon as they are available.
On short notice you can take the following measures to mitigate the zero-day exploit: Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS in your system to true.
Please note that this mitigation works for PTV xServer 1.34 and from PTV xServer 2.7 on. In case of using PTV xServer versions 2.0 to 2.6 you have to update them first.
- Set system property log4j2.formatMsgNoLookups when you launch VM, passing as java -Dlog4j2.formatMsgNoLookups=true ... .
- Set environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
- For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the org/apache/logging/log4j/core/lookup/JndiLookup.class from the classpath - see log4j-core-*.jar.
Best regards,
Bernd
Bernd Welter
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
- Bernd Welter
- Site Admin
- Posts: 2584
- Joined: Mon Apr 14, 2014 10:28 am
- Contact:
Re: Critical vulnerability (Log4Shell) in the Java Log4j
And another update from Haba:
PTV xServer 2.25.1 released to fix the Log4j zero-day exploit
Big thank you to all involved colleagues for your quick reaction solving this critical vulnerability!!!
Bernd
PTV xServer 2.25.1 released to fix the Log4j zero-day exploit
And: We are already working on the also affected PTV xServer 1.34 and there will be a corresponding release in the next days. The PTV xServer 1.32 and older versions are not affected by this security issue. The cloud solution PTV xServer internet is already patched in the currently used versions.The PTV xServer 2.25.1 is released! We fixed the Log4j zero-day exploit and integrated the security update Log4j 2.15.0. The same is true for the also released PTV Content Update Service 2.25.1.
Please check the corresponding release notes here.
For on-premise solutions you can download the latest version from the PTV xServer Customer Area (login and license required)
The cloud solution PTV xServer internet is already patched in the currently used versions. Check the Cluster Overview page to get more information about existing PTV xServer internet deployments.
Big thank you to all involved colleagues for your quick reaction solving this critical vulnerability!!!
Bernd
Bernd Welter
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
- Bernd Welter
- Site Admin
- Posts: 2584
- Joined: Mon Apr 14, 2014 10:28 am
- Contact:
Re: Critical vulnerability (Log4Shell) in the Java Log4j
1.34.0.2 released:
https://xserver.ptvgroup.com/forum/view ... =51&t=1515
https://xserver.ptvgroup.com/forum/view ... =51&t=1515
Bernd Welter
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
- Bernd Welter
- Site Admin
- Posts: 2584
- Joined: Mon Apr 14, 2014 10:28 am
- Contact:
Re: Critical vulnerability (Log4Shell) in the Java Log4j
Bernd Welter
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
- Bernd Welter
- Site Admin
- Posts: 2584
- Joined: Mon Apr 14, 2014 10:28 am
- Contact:
Re: Critical vulnerability (Log4Shell) in the Java Log4j
Next patch: xServer 1.34!!!
https://xserver.ptvgroup.com/forum/view ... =51&t=1517
Afaik: both xServer1 and xServer2 are now available with LOG4J 2.16.0 based integration.
No further actions planned for PTV DEV
Feel free to update your existing installation with one of those versions.
Bernd
https://xserver.ptvgroup.com/forum/view ... =51&t=1517
Afaik: both xServer1 and xServer2 are now available with LOG4J 2.16.0 based integration.
No further actions planned for PTV DEV
Feel free to update your existing installation with one of those versions.
Bernd
Bernd Welter
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
- Bernd Welter
- Site Admin
- Posts: 2584
- Joined: Mon Apr 14, 2014 10:28 am
- Contact:
Re: Critical vulnerability (Log4Shell) in the Java Log4j
devblog: how-to-handle-the-log4j-security-issue-with-ptv-xserver-older-than-1-34
This drives us crazy
This drives us crazy
Bernd Welter
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
- Bernd Welter
- Site Admin
- Posts: 2584
- Joined: Mon Apr 14, 2014 10:28 am
- Contact:
Re: Critical vulnerability (Log4Shell) in the Java Log4j
and another patch us waiting for you...
Dear xServer Stakeholders,
The same procedure as every week … the PTV xServer 2.25.3 is released! We integrated the latest security update Log4j 2.17.0 and hopefully this is the last one to fix the current security issues in Log4j. And again the same is true for the just released PTV Content Update Service 2.25.3.
We are working on a similar bugfix release of PTV xServer 1.34 to also integrate there Log4j 2.17.0.
The on-premise solution can be found here:
Developer Zone (login required)
Regards, your transportation services teams
Bernd Welter
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
- Bernd Welter
- Site Admin
- Posts: 2584
- Joined: Mon Apr 14, 2014 10:28 am
- Contact:
Re: Critical vulnerability (Log4Shell) in the Java Log4j
Bernd Welter
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
- Bernd Welter
- Site Admin
- Posts: 2584
- Joined: Mon Apr 14, 2014 10:28 am
- Contact:
Re: Critical vulnerability (Log4Shell) in the Java Log4j
Cheers,
the topic seems to be hot - even in 2022. I've been asked by a customer:
Bernd
the topic seems to be hot - even in 2022. I've been asked by a customer:
Here's what DEV told me about this (Thanks, Ellen!):Does PTV 1.34 with Log4j2.17.0 use JDBC Appender and JNDI class it not removed
Currently (3.1.2022) we integrated Log4J 2.17.0 into the releases provided recently. Apache has released a new Log4J version 2.17.1 on december 28th (check CVE-2021-44832). Further info is available atA default installation of an xServer does use the JDBC appender. This only happens if the customer's administrator enables database logging.
- https://venturebeat.com/2021/12/29/patching-log4j-to-version-2-17-1-can-probably-wait
- https://blog.sonatype.com/log4j-another-code-execution-bug-should-you-worry
- https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element
Bernd
Bernd Welter
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...
Technical Partner Manager Developer Components
PTV Logistics - Germany
Bernd at... The Forum,LinkedIn, Youtube, StackOverflow
I like the smell of PTV Developer in the morning...