PTV xServer 1.34 “Log4j” bugfix release available

The PTV xServer 1.34 is now available fixing the critical vulnerability in the Apache Log4j logging framework. We integrated the security update Log4j 2.15.0.

  • PTV xCluster Server 1.34.0.1
  • PTV xDima Server 1.34.0.2
  • PTV xLoad Server 1.34.0.1
  • PTV xLocate Server 1.34.0.2
  • PTV xMap Server 1.34.0.2
  • PTV xMapmatch Server 1.34.0.1
  • PTV xRoute Server 1.34.0.2
  • PTV xTerritory Server 1.34.0.2
  • PTV xTour Server 1.34.0.2
  • PTV xServer bundle 1.34.0.2

As the situation is very dynamic, there are further security risks with a lower score in Log4j 2.15.0 found. Log4j 2.16.0 is already available and the next bugfix release of PTV xServer 1.34 is in preparation to integrate it (same for PTV xServer 2.25). Anyway, we recommend to use the just released PTV xServer versions as the security risk with the highest score is fixed with them.

For on-premise solutions you can download the latest version from the PTV xServer Customer Area: https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

The cloud solution PTV xServer internet using PTV xServer 1.34 is already patched. Check the Cluster Overview page to get more information about existing PTV xServer internet deployments.

How to handle the Apache Log4j zero-day exploit using PTV xServer on-premise

As the PTV xServer API versions 1.34 and 2.x are affected by the critical vulnerability in the Apache Log4j logging framework we work on updates integrating the security update Log4j 2.15.0. We will announce the new on-premise versions here and recommend to use them as soon as they are available.

On short notice you can take the following measures to mitigate the zero-day exploit: Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS in your system to true. This of course also has a positive affect on other applications on your system that uses the lookup function from Log4j.

Please note that this mitigation works for PTV xServer 1.34 and from PTV xServer 2.7 on. In case of using PTV xServer versions 2.0 to 2.6 you have to update them first.

Moreover the PTV Content Update Service 2.x is in the same way affected as PTV xServer 2.x and the mitigation also works from PTV Content Update Service 2.7 on.

 

PTV xServer 1.34 released

The new PTV xServer API version 1.34 is available. As always, we recommend to use the new version as soon as possible. And these are the main topics:

  • Updated several third-party components to recent versions
  • Harmonized the speed values of the reference profile ‘truck11-99t_01-00’
  • Fixed some bugs, mainly concerning the distance matrix calculation

Please note that we also updated our logging framework. In case of individual changes in the logging configuration files, you have to adapt them (see “Migration Guide Logging”).

If you are interested in the full list of changes, you can check the corresponding release notes here.

You can download the latest version from the PTV xServer Customer Area: https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

Deactivation of Transport Layer Security (TLS) 1.0 and 1.1

Microsoft announced the deactivation of Transport Layer Security 1.0 and 1.1
Announcement from Microsoft on September 30th, 2020:
Transport Layer Security (TLS) 1.0 and 1.1 are security protocols for establishing encryption channels over computer networks. Microsoft has supported these protocols since Windows XP/Server 2003. However, due to evolving regulatory requirements as well as new security vulnerabilities in TLS 1.0, Microsoft recommends that customers remove TLS 1.0/1.1 dependencies in their environments and disable TLS 1.0 and 1.1 at the operating system level where possible. https://docs.microsoft.com/en-gb/lifecycle/announcements/transport-layer-security-1x-disablement

PTV xServer internet with API version 1 will no longer be able to support TLS 1.1 or lower by the date September 30th, 2021 due to security updates in Azure.
PTV will start to deactivate the protocols with the planned map updates starting in October 2021. The updates will be announced via our PTV Developer Blog. You can subscribe our blog to stay posted.

  • Your action is required if you are still using TLS 1.0 or 1.1 version, as the requests will not get through to our service after we update the map clusters.
  • If you still use .NET Framework version 4.5 and lower or Java 7 runtime and lower your action is required.
  • Update your framework to a newer version to guarantee access to our service after the update on our map clusters.

.NET Framework
We recommend updating to NET 4.6 and above. You don’t need to do any additional work to support TLS 1.2, it’s supported by default. More detailed information regarding different NET. versions can be found here:
https://blogs.perficient.com/2016/04/28/tsl-1-2-and-net-support/

PTV Java Clients
We recommend updating to a Java 8 runtime environment for the PTV xServer clients because Java 8 runtime supports TLS 1.2 by default.

PTV xServer internet update – PTV America City Map cluster with API version 1

We plan to perform maintenance on March, 1st 2020 that does not require any downtime.
The following tasks will be completed in the scope of this maintenance.

PTV America City Map [Here]- production/integration – cluster with API version 1:

  • PTV xServer update from version 1.28.3 to version 1.30.0
  • Map update form PTV America City Map version 2020.2H to version 2021.1H.

Please test your application on the already updated test system and report any problem immediately.

PTV xServer internet update – PTV America City Map cluster – production

We plan to perform maintenance on April, 20th 2020 that does not require any downtime.
The following tasks will be completed in the scope of this maintenance.

PTV America City Map [Here]- production/integration – cluster with API version 1:

  • PTV xServer update from version 1.28.0.1 to version 1.28.0.3
  • Map update form PTV America City Map version 2020.1H to version 2020.2H.

Please test your application on the today updated test system and report any problem immediately.