PTV xServer 1.36 released

The new PTV xServer API version 1.36 is available. As always, we recommend using the new version as soon as possible. And these are the main topics:

  • Updated several third-party components to recent versions
  • Added the possibility to log only requests which cause a fatal exception
  • Fixed the request logging

If you are interested in the full list of changes, you can check the corresponding release notes here.

You can download the latest version from the PTV xServer Customer Area: https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

Deactivation of Transport Layer Security (TLS) 1.0 and 1.1 starts today!

PTV xServer internet will no longer be able to support TLS 1.1 or lower due to security updates in Azure. We informed you about this topic in the following blog post in April 2021.

PTV will start to deactivate the protocols with the upcoming map cluster updates.

Today the test systems of all our map clusters will support access with TLS 1.2 or higher only. We deactivated the access with TLS 1.1 or lower on all test environments for API Version 1 and API Version 2 alike.

Please test the access to the test system of your corresponding map cluster with your application and report any problem immediately.

The upcoming map updates for the map clusters will be announced as always via our PTV Developer Blog. You can subscribe to our blog to stay posted.

Next planned production updates with deactivation TLS 1.0 and 1.1:

08.03.2022 PTV World City Map Cluster (TomTom) with API version 1 (api-eu)
10.03.2022 PTV Europe City Map Cluster (TomTom) with API version 1 (eu-n)
22.03.2022 PTV America City Map Cluster with API version 1 (na-n)
26.04.2022 PTV World City Map Cluster with API version 2 (xserver2-eu)
28.04.2022 PTV World City Map Cluster with API version 2 (xserver2-us)

Your action is required if you are still using TLS 1.0 or 1.1 version, as the requests will not get through to our service after we updated the production environments of our map clusters.

  1. If you still use Java 7 runtime and lower or .NET Framework version 4.5 and lower your action is required.
  2. Update your framework to a newer version to guarantee access to our service after the update on our map clusters.

Why do we do this: Microsoft announced the deactivation of Transport Layer Security 1.0 and 1.1.
Announcement from Microsoft on September 30th, 2020:
Transport Layer Security (TLS) 1.0 and 1.1 are security protocols for establishing encryption channels over computer networks. Microsoft has supported these protocols since Windows XP/Server 2003. However, due to evolving regulatory requirements as well as new security vulnerabilities in TLS 1.0, Microsoft recommends that customers remove TLS 1.0/1.1 dependencies in their environments and disable TLS 1.0 and 1.1 at the operating system level where possible. https://docs.microsoft.com/en-gb/lifecycle/announcements/transport-layer-security-1x-disablement

New year – new log4j Version!

First of all happy new year to everybody out there.
New year – new log4j Version!

On December 28th the new CVE-2021-44832 concerning log4j 2.17.0 has been newly disclosed.

Since we shipped the newest versions of the PTV xServer 1.34.0.3/4 family (see blog post from 22.12.2021) as well as the PTV xServer 2.25.3 (see blog post from 20.12.2021) with Log4j version 2.17.0 just before Christmas, these versions are potentially affected by this new CVE.

Should we be worried about this?

First, when looking at https://logging.apache.org/log4j/2.x/security.html the severity of CVE-2021-44832 is classified as moderate as the attacker must have permissions to modify the log4j configuration file.

After a detailed analysis, we can say that no products hosted by PTV which are vulnerable to CVE-2021-44832 have been identified.

For all customers running PTV products, including the log4j version 2.17.0 on premise, please just make sure that no unauthorized person has write access to the log4j config file of your system. For PTV xServer installations, you can find the log4j config files (logging.xml and logging-module.xml) in the “conf” directory of your PTV xServer installation.

Because we think that the current CVE does not represent a critical problem for PTV products, we expect to update the latest versions of PTV xServer Family 1.34.0.3/4 and PTV xServer 2.25.3 (currently including log4j Version 2.17.0) to the next log4j 2.17.1 not before February 2022.

Of course, we will continue to follow the developments around log4j for you and keep you informed about further news.

Concerning further technical questions, please contact your Product Support.

PTV xServer 1.34 with Log4j 2.17.0 released

Groundhog day! The next release of PTV xServer 1.34 is available. Like in PTV xServer 2 we now integrated the latest security update Log4j 2.17.0. Keep fingers crossed that this finally solves the current security issues in Log4j.

  • PTV xCluster Server 1.34.0.3
  • PTV xDima Server 1.34.0.4
  • PTV xLoad Server 1.34.0.3
  • PTV xLocate Server 1.34.0.4
  • PTV xMap Server 1.34.0.4
  • PTV xMapmatch Server 1.34.0.3
  • PTV xRoute Server 1.34.0.4
  • PTV xTerritory Server 1.34.0.4
  • PTV xTour Server 1.34.0.4
  • PTV xServer bundle 1.34.0.4

For on-premise solutions you can download the latest version from the PTV xServer Customer Area: https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

The cloud solution PTV xServer internet using PTV xServer 1.34 is already patched. Check the Cluster Overview page to get more information about existing PTV xServer internet deployments.

How to handle the Log4j security issue with PTV xServer older than 1.34

With PTV xServer 1.34 we updated several third party components to recent versions. This also included a major update of Apache Log4j from version 1 (PTV xServer < 1.34) to version 2 (PTV xServer 1.34). As PTV xServer 1 is downward compatible only the latest PTV xServer 1 version gets updates and we recommend to use always the newest one. This is important not only because of the security issues in Log4j, but potentially also in other components.

In case it is not possible to update your PTV xServer 1 to version 1.34 on your system for any reason, you have to know the following:

  • Log4j 1 is no longer maintained and has reached end of life. The security issues will not be fixed by Apache.
  • Log4j 2 incorporates many architectural changes compared to version 1. It is not possible to just replace Log4j 1 files by Log4j 2 files in older PTV xServer versions.

The way PTV xServer older than 1.34 uses Log4j 1 in the shipped configuration should not affect the current security issue with Log4j. But of course, you can change this configuration for your purposes in many ways. Anyway, if you want to be on the safe side, we offer a patch of Log4j 1 for the PTV xServer versions 1.26 to 1.32. Therein we removed the affected classes as we do not use them anyway. With this patch you can just replace the existing Log4j 1 files in your PTV xServer installation.

You can download the Log4j 1 patch including a short documentation from the PTV xServer Customer Area (see ‘API Version 1 – Important Notes’): https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

PTV xServer 1.34 with latest Log4j released

And here is the next release of PTV xServer 1.34! Like in PTV xServer 2 we now integrated the latest security update Log4j 2.16.0 to fix the additional security risks found in Log4j 2.15.0. At the moment there is no further PTV xServer release planned to this topic.

  • PTV xCluster Server 1.34.0.2
  • PTV xDima Server 1.34.0.3
  • PTV xLoad Server 1.34.0.2
  • PTV xLocate Server 1.34.0.3
  • PTV xMap Server 1.34.0.3
  • PTV xMapmatch Server 1.34.0.2
  • PTV xRoute Server 1.34.0.3
  • PTV xTerritory Server 1.34.0.3
  • PTV xTour Server 1.34.0.3
  • PTV xServer bundle 1.34.0.3

For on-premise solutions you can download the latest version from the PTV xServer Customer Area: https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

The cloud solution PTV xServer internet using PTV xServer 1.34 is already patched. Check the Cluster Overview page to get more information about existing PTV xServer internet deployments.

What a crazy week…