How to handle the Log4j security issue with PTV xServer older than 1.34

With PTV xServer 1.34 we updated several third party components to recent versions. This also included a major update of Apache Log4j from version 1 (PTV xServer < 1.34) to version 2 (PTV xServer 1.34). As PTV xServer 1 is downward compatible only the latest PTV xServer 1 version gets updates and we recommend to use always the newest one. This is important not only because of the security issues in Log4j, but potentially also in other components.

In case it is not possible to update your PTV xServer 1 to version 1.34 on your system for any reason, you have to know the following:

  • Log4j 1 is no longer maintained and has reached end of life. The security issues will not be fixed by Apache.
  • Log4j 2 incorporates many architectural changes compared to version 1. It is not possible to just replace Log4j 1 files by Log4j 2 files in older PTV xServer versions.

The way PTV xServer older than 1.34 uses Log4j 1 in the shipped configuration should not affect the current security issue with Log4j. But of course, you can change this configuration for your purposes in many ways. Anyway, if you want to be on the safe side, we offer a patch of Log4j 1 for the PTV xServer versions 1.26 to 1.32. Therein we removed the affected classes as we do not use them anyway. With this patch you can just replace the existing Log4j 1 files in your PTV xServer installation.

You can download the Log4j 1 patch including a short documentation from the PTV xServer Customer Area (see ‘API Version 1 – Important Notes’): https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

PTV xServer 1.34 with latest Log4j released

And here is the next release of PTV xServer 1.34! Like in PTV xServer 2 we now integrated the latest security update Log4j 2.16.0 to fix the additional security risks found in Log4j 2.15.0. At the moment there is no further PTV xServer release planned to this topic.

  • PTV xCluster Server 1.34.0.2
  • PTV xDima Server 1.34.0.3
  • PTV xLoad Server 1.34.0.2
  • PTV xLocate Server 1.34.0.3
  • PTV xMap Server 1.34.0.3
  • PTV xMapmatch Server 1.34.0.2
  • PTV xRoute Server 1.34.0.3
  • PTV xTerritory Server 1.34.0.3
  • PTV xTour Server 1.34.0.3
  • PTV xServer bundle 1.34.0.3

For on-premise solutions you can download the latest version from the PTV xServer Customer Area: https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

The cloud solution PTV xServer internet using PTV xServer 1.34 is already patched. Check the Cluster Overview page to get more information about existing PTV xServer internet deployments.

What a crazy week…

PTV xServer 2.25.2 with latest Log4j released

The PTV xServer 2.25.2 is released! We now integrated the latest security update Log4j 2.16.0 to fix the additional security risks found in Log4j 2.15.0 (integrated in PTV xServer 2.25.1). And again the same is true for the just released PTV Content Update Service 2.25.2. At the moment there is no further PTV xServer 2 release planned to this topic.

Please check the corresponding release notes here.

For on-premise solutions you can download the latest version from the PTV xServer Customer Area: https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

The cloud solution PTV xServer internet is already patched in the currently used versions. Check the Cluster Overview page to get more information about existing PTV xServer internet deployments.

PTV xServer 1.34 “Log4j” bugfix release available

The PTV xServer 1.34 is now available fixing the critical vulnerability in the Apache Log4j logging framework. We integrated the security update Log4j 2.15.0.

  • PTV xCluster Server 1.34.0.1
  • PTV xDima Server 1.34.0.2
  • PTV xLoad Server 1.34.0.1
  • PTV xLocate Server 1.34.0.2
  • PTV xMap Server 1.34.0.2
  • PTV xMapmatch Server 1.34.0.1
  • PTV xRoute Server 1.34.0.2
  • PTV xTerritory Server 1.34.0.2
  • PTV xTour Server 1.34.0.2
  • PTV xServer bundle 1.34.0.2

As the situation is very dynamic, there are further security risks with a lower score in Log4j 2.15.0 found. Log4j 2.16.0 is already available and the next bugfix release of PTV xServer 1.34 is in preparation to integrate it (same for PTV xServer 2.25). Anyway, we recommend to use the just released PTV xServer versions as the security risk with the highest score is fixed with them.

For on-premise solutions you can download the latest version from the PTV xServer Customer Area: https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

The cloud solution PTV xServer internet using PTV xServer 1.34 is already patched. Check the Cluster Overview page to get more information about existing PTV xServer internet deployments.

PTV xServer 2.25.1 released to fix the Log4j zero-day exploit

The PTV xServer 2.25.1 is released! We fixed the Log4j zero-day exploit and integrated the security update Log4j 2.15.0. The same is true for the also released PTV Content Update Service 2.25.1.

Please check the corresponding release notes here.

For on-premise solutions you can download the latest version from the PTV xServer Customer Area: https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

The cloud solution PTV xServer internet is already patched in the currently used versions. Check the Cluster Overview page to get more information about existing PTV xServer internet deployments.

How to handle the Apache Log4j zero-day exploit using PTV xServer on-premise

As the PTV xServer API versions 1.34 and 2.x are affected by the critical vulnerability in the Apache Log4j logging framework we work on updates integrating the security update Log4j 2.15.0. We will announce the new on-premise versions here and recommend to use them as soon as they are available.

On short notice you can take the following measures to mitigate the zero-day exploit: Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS in your system to true. This of course also has a positive affect on other applications on your system that uses the lookup function from Log4j.

Please note that this mitigation works for PTV xServer 1.34 and from PTV xServer 2.7 on. In case of using PTV xServer versions 2.0 to 2.6 you have to update them first.

Moreover the PTV Content Update Service 2.x is in the same way affected as PTV xServer 2.x and the mitigation also works from PTV Content Update Service 2.7 on.