Zero-day “Spring4Shell”

Since this week there is a new zero-day vulnerability in the Spring framework. Please note that we are aware of this and currently analyzing how far the PTV xServer is affected.
We like to share the current state of our analysis with you.
The essential requirement for exploiting the vulnerability is a JDK9. We are still running JDK8 on all PTV xServer API versions.
Thus, the PTV xServer is not affected by CVE-2022-22965 (according to the current status).
Of course, there may be new findings, so we will continue to investigate this issue. We will inform you as soon as there are further findings. To stay tuned subscribe to our blog.

How to handle the Log4j security issue with PTV xServer older than 1.34

With PTV xServer 1.34 we updated several third party components to recent versions. This also included a major update of Apache Log4j from version 1 (PTV xServer < 1.34) to version 2 (PTV xServer 1.34). As PTV xServer 1 is downward compatible only the latest PTV xServer 1 version gets updates and we recommend to use always the newest one. This is important not only because of the security issues in Log4j, but potentially also in other components.

In case it is not possible to update your PTV xServer 1 to version 1.34 on your system for any reason, you have to know the following:

  • Log4j 1 is no longer maintained and has reached end of life. The security issues will not be fixed by Apache.
  • Log4j 2 incorporates many architectural changes compared to version 1. It is not possible to just replace Log4j 1 files by Log4j 2 files in older PTV xServer versions.

The way PTV xServer older than 1.34 uses Log4j 1 in the shipped configuration should not affect the current security issue with Log4j. But of course, you can change this configuration for your purposes in many ways. Anyway, if you want to be on the safe side, we offer a patch of Log4j 1 for the PTV xServer versions 1.26 to 1.32. Therein we removed the affected classes as we do not use them anyway. With this patch you can just replace the existing Log4j 1 files in your PTV xServer installation.

You can download the Log4j 1 patch including a short documentation from the PTV xServer Customer Area (see ‘API Version 1 – Important Notes’): (login and license required)

How to handle the Apache Log4j zero-day exploit using PTV xServer on-premise

As the PTV xServer API versions 1.34 and 2.x are affected by the critical vulnerability in the Apache Log4j logging framework we work on updates integrating the security update Log4j 2.15.0. We will announce the new on-premise versions here and recommend to use them as soon as they are available.

On short notice you can take the following measures to mitigate the zero-day exploit: Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS in your system to true. This of course also has a positive affect on other applications on your system that uses the lookup function from Log4j.

Please note that this mitigation works for PTV xServer 1.34 and from PTV xServer 2.7 on. In case of using PTV xServer versions 2.0 to 2.6 you have to update them first.

Moreover the PTV Content Update Service 2.x is in the same way affected as PTV xServer 2.x and the mitigation also works from PTV Content Update Service 2.7 on.


Critical vulnerability in Log4j

The latest update to this post is available here!

On Friday 09.12.21 a critical vulnerability (Log4Shell) in the widely used Java library Log4j has been identified. According to the assessment of many authorities, this leads to an extremely critical threat situation, which is why, among others, the Federal Office for Information Security (BSI) in Germany has upgraded its existing cyber security warning to warning level red (see Common Vulnerabilities and Exposures and BSI).

The affected component is also used in some PTV products. This affects both customer installations and the cloud offering of PTV Group.


List of products (affected, but patched)

  • PTV xServer internet 1 / PTV xServer internet 2
  • PTV TLN planner internet
  • PTV Route Optimizer SaaS / Demonstrator
  • PTV Developer
  • PTV Visum Publisher

List of products (affected)

  • PTV xServer 2.x (on prem)
  • PTV xServer 1.34 (on prem)
  • PTV MaaS Modeller

List of products (possibly affected)

  • PTV Route Optimiser CL
  • PTV Route Optimiser ST
  • PTV Map&Market
  • PTV Arrival Board / Trip Creator / EM Portal
  • PTV Drive&Arrive

List of products (not affected)

  • PTV xServer < 1.34 (on prem)
  • PTV Road Editor
  • PTV Map&Guide internet
  • PTV Map&Guide intranet
  • PTV Navigator Licence Manager
  • PTV Navigator App
  • PTV Drive&Arrive App
  • PTV Visum
  • PTV Vissim
  • PTV Vistro
  • PTV Viswalk
  • PTV Balance and PTV Epics
  • PTV Hyperpath
  • PTV TRE and PTV Tre-Addin
  • PTV Optima

We have therefore been working on updating the affected PTV products since the vulnerability was announced.

For the vulnerability, there is already a security update from the manufacturer with version Log4j 2.15.0. In addition, all products that use Log4j – including all affected PTV Products – must be adapted.

For cloud products, the update will be performed by PTV in its own data centers.

For customer-owned installations, we will provide an update in the short term and offer it for download. All customers will receive direct information about this in a timely manner.

Concerning further technical questions, please contact your Product Support.

PTV xServer Version 2 – OS requirement update for Linux hosts

We are now working on the upcoming xServer Version 2.23.
These version is the first containing compiler updates for Windows and Linux.

On windows Systems, there are no updated requirements, since the xServer2 compiled with VC16 is backwards compatible.

Running PTV xServer2 on a Linux host, there is the following to consider:

The PTV xServer2 compiled with gcc 9.3 is not backwards compatible to older Linux systems anymore.

We build and test the PTV xServer2 on Ubuntu 20.04 and therefore also recommend to use this.
PTV xServer 2.23 and following require gcc 9.3 with a 5.4.0 kernel running on Ubuntu 20.04. 

Since our current PTV xServer2 already on Ubuntu 20.04 you can do a system upgrade anytime before upgrading your xServer.

PTV xServer API version 1 – Technical Note

We would like to inform you that a problem of the MS Windows Server operating system in interaction with PTV xServer API version 1 was discovered.

Your PTV xServer installation is affected by this problem if the following points apply to it:

  • PTV xServer API version 1
  • Operating system Windows Server 2016, or Windows Server 2019 with current security patch
  • PTV xTour or PTV xDima with calls that clear the distance matrix before or after usage
  • Storage of distance matrices in a SMB / CIFS directory

Within this group, installations using either local Windows versions (Windows Server 2019) or Azure Windows versions 5 (Windows Server 2016) and version 6 (Windows Server 2019) with current patch are affected.

The impact of this bug is seen in PTV xTour or PTV xDima Server calls that delete the distance matrix before or after usage. The deletion cannot be done in some cases, so the request fails.

Here is an overview of the tested OS versions, for the combinations marked in red the error occurs:

Options for action to avoid this error:

  • Do not update the operating system and remain on an unaffected Windows version.
  • Install PTV xServer 1.32 release as soon as it is available. Planned for early April 2021.

If you need assistance please contact our product support team via support.xServer <>.