
Thus, the PTV xServer is not affected by CVE-2022-22965 (according to the current status).

With PTV xServer 1.34 we updated several third party components to recent versions. This also included a major update of Apache Log4j from version 1 (PTV xServer < 1.34) to version 2 (PTV xServer 1.34). As PTV xServer 1 is downward compatible only the latest PTV xServer 1 version gets updates and we recommend to use always the newest one. This is important not only because of the security issues in Log4j, but potentially also in other components.
In case it is not possible to update your PTV xServer 1 to version 1.34 on your system for any reason, you have to know the following:
The way PTV xServer older than 1.34 uses Log4j 1 in the shipped configuration should not affect the current security issue with Log4j. But of course, you can change this configuration for your purposes in many ways. Anyway, if you want to be on the safe side, we offer a patch of Log4j 1 for the PTV xServer versions 1.26 to 1.32. Therein we removed the affected classes as we do not use them anyway. With this patch you can just replace the existing Log4j 1 files in your PTV xServer installation.
You can download the Log4j 1 patch including a short documentation from the PTV xServer Customer Area (see ‘API Version 1 – Important Notes’): https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)
As the PTV xServer API versions 1.34 and 2.x are affected by the critical vulnerability in the Apache Log4j logging framework we work on updates integrating the security update Log4j 2.15.0. We will announce the new on-premise versions here and recommend to use them as soon as they are available.
On short notice you can take the following measures to mitigate the zero-day exploit: Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS in your system to true. This of course also has a positive affect on other applications on your system that uses the lookup function from Log4j.
Please note that this mitigation works for PTV xServer 1.34 and from PTV xServer 2.7 on. In case of using PTV xServer versions 2.0 to 2.6 you have to update them first.
Moreover the PTV Content Update Service 2.x is in the same way affected as PTV xServer 2.x and the mitigation also works from PTV Content Update Service 2.7 on.
The latest update to this post is available here!
On Friday 09.12.21 a critical vulnerability (Log4Shell) in the widely used Java library Log4j has been identified. According to the assessment of many authorities, this leads to an extremely critical threat situation, which is why, among others, the Federal Office for Information Security (BSI) in Germany has upgraded its existing cyber security warning to warning level red (see Common Vulnerabilities and Exposures and BSI).
The affected component is also used in some PTV products. This affects both customer installations and the cloud offering of PTV Group.
List of products (affected, but patched)
List of products (affected)
List of products (possibly affected)
List of products (not affected)
We have therefore been working on updating the affected PTV products since the vulnerability was announced.
For the vulnerability, there is already a security update from the manufacturer with version Log4j 2.15.0. In addition, all products that use Log4j – including all affected PTV Products – must be adapted.
For cloud products, the update will be performed by PTV in its own data centers.
For customer-owned installations, we will provide an update in the short term and offer it for download. All customers will receive direct information about this in a timely manner.
Concerning further technical questions, please contact your Product Support.
We are now working on the upcoming xServer Version 2.23.
These version is the first containing compiler updates for Windows and Linux.
On windows Systems, there are no updated requirements, since the xServer2 compiled with VC16 is backwards compatible.
Running PTV xServer2 on a Linux host, there is the following to consider:
The PTV xServer2 compiled with gcc 9.3 is not backwards compatible to older Linux systems anymore.
We build and test the PTV xServer2 on Ubuntu 20.04 and therefore also recommend to use this.
PTV xServer 2.23 and following require gcc 9.3 with a 5.4.0 kernel running on Ubuntu 20.04.
Since our current PTV xServer2 already on Ubuntu 20.04 you can do a system upgrade anytime before upgrading your xServer.
We would like to inform you that a problem of the MS Windows Server operating system in interaction with PTV xServer API version 1 was discovered.
Your PTV xServer installation is affected by this problem if the following points apply to it:
Within this group, installations using either local Windows versions (Windows Server 2019) or Azure Windows versions 5 (Windows Server 2016) and version 6 (Windows Server 2019) with current patch are affected.
The impact of this bug is seen in PTV xTour or PTV xDima Server calls that delete the distance matrix before or after usage. The deletion cannot be done in some cases, so the request fails.
Here is an overview of the tested OS versions, for the combinations marked in red the error occurs:
Options for action to avoid this error:
If you need assistance please contact our product support team via support.xServer <support.de@xserver.ptvgroup.com>.