New year – new log4j Version!

First of all happy new year to everybody out there.
New year – new log4j Version!

On December 28th the new CVE-2021-44832 concerning log4j 2.17.0 has been newly disclosed.

Since we shipped the newest versions of the PTV xServer 1.34.0.3/4 family (see blog post from 22.12.2021) as well as the PTV xServer 2.25.3 (see blog post from 20.12.2021) with Log4j version 2.17.0 just before Christmas, these versions are potentially affected by this new CVE.

Should we be worried about this?

First, when looking at https://logging.apache.org/log4j/2.x/security.html the severity of CVE-2021-44832 is classified as moderate as the attacker must have permissions to modify the log4j configuration file.

After a detailed analysis, we can say that no products hosted by PTV which are vulnerable to CVE-2021-44832 have been identified.

For all customers running PTV products, including the log4j version 2.17.0 on premise, please just make sure that no unauthorized person has write access to the log4j config file of your system. For PTV xServer installations, you can find the log4j config files (logging.xml and logging-module.xml) in the “conf” directory of your PTV xServer installation.

Because we think that the current CVE does not represent a critical problem for PTV products, we expect to update the latest versions of PTV xServer Family 1.34.0.3/4 and PTV xServer 2.25.3 (currently including log4j Version 2.17.0) to the next log4j 2.17.1 not before February 2022.

Of course, we will continue to follow the developments around log4j for you and keep you informed about further news.

Concerning further technical questions, please contact your Product Support.

PTV xServer 1.34 with Log4j 2.17.0 released

Groundhog day! The next release of PTV xServer 1.34 is available. Like in PTV xServer 2 we now integrated the latest security update Log4j 2.17.0. Keep fingers crossed that this finally solves the current security issues in Log4j.

  • PTV xCluster Server 1.34.0.3
  • PTV xDima Server 1.34.0.4
  • PTV xLoad Server 1.34.0.3
  • PTV xLocate Server 1.34.0.4
  • PTV xMap Server 1.34.0.4
  • PTV xMapmatch Server 1.34.0.3
  • PTV xRoute Server 1.34.0.4
  • PTV xTerritory Server 1.34.0.4
  • PTV xTour Server 1.34.0.4
  • PTV xServer bundle 1.34.0.4

For on-premise solutions you can download the latest version from the PTV xServer Customer Area: https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

The cloud solution PTV xServer internet using PTV xServer 1.34 is already patched. Check the Cluster Overview page to get more information about existing PTV xServer internet deployments.

PTV xServer 2.25.3 with Log4j 2.17.0 released

The same procedure as every week … the PTV xServer 2.25.3 is released! We integrated the latest security update Log4j 2.17.0 and hopefully this is the last one to fix the current security issues in Log4j. And again the same is true for the just released PTV Content Update Service 2.25.3.

We are working on a similar bugfix release of PTV xServer 1.34 to also integrate there Log4j 2.17.0.

Please check the corresponding release notes here. If you do not see the release notes for PTV xServer 2.25.3, please clear your browser cache.

For on-premise solutions you can download the latest version from the PTV xServer Customer Area: https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

The cloud solution PTV xServer internet is already patched in the currently used versions. Check the Cluster Overview page to get more information about existing PTV xServer internet deployments.

PTV xServer 1.34 with latest Log4j released

And here is the next release of PTV xServer 1.34! Like in PTV xServer 2 we now integrated the latest security update Log4j 2.16.0 to fix the additional security risks found in Log4j 2.15.0. At the moment there is no further PTV xServer release planned to this topic.

  • PTV xCluster Server 1.34.0.2
  • PTV xDima Server 1.34.0.3
  • PTV xLoad Server 1.34.0.2
  • PTV xLocate Server 1.34.0.3
  • PTV xMap Server 1.34.0.3
  • PTV xMapmatch Server 1.34.0.2
  • PTV xRoute Server 1.34.0.3
  • PTV xTerritory Server 1.34.0.3
  • PTV xTour Server 1.34.0.3
  • PTV xServer bundle 1.34.0.3

For on-premise solutions you can download the latest version from the PTV xServer Customer Area: https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

The cloud solution PTV xServer internet using PTV xServer 1.34 is already patched. Check the Cluster Overview page to get more information about existing PTV xServer internet deployments.

What a crazy week…

PTV xServer 2.25.2 with latest Log4j released

The PTV xServer 2.25.2 is released! We now integrated the latest security update Log4j 2.16.0 to fix the additional security risks found in Log4j 2.15.0 (integrated in PTV xServer 2.25.1). And again the same is true for the just released PTV Content Update Service 2.25.2. At the moment there is no further PTV xServer 2 release planned to this topic.

Please check the corresponding release notes here.

For on-premise solutions you can download the latest version from the PTV xServer Customer Area: https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

The cloud solution PTV xServer internet is already patched in the currently used versions. Check the Cluster Overview page to get more information about existing PTV xServer internet deployments.

PTV xServer 1.34 “Log4j” bugfix release available

The PTV xServer 1.34 is now available fixing the critical vulnerability in the Apache Log4j logging framework. We integrated the security update Log4j 2.15.0.

  • PTV xCluster Server 1.34.0.1
  • PTV xDima Server 1.34.0.2
  • PTV xLoad Server 1.34.0.1
  • PTV xLocate Server 1.34.0.2
  • PTV xMap Server 1.34.0.2
  • PTV xMapmatch Server 1.34.0.1
  • PTV xRoute Server 1.34.0.2
  • PTV xTerritory Server 1.34.0.2
  • PTV xTour Server 1.34.0.2
  • PTV xServer bundle 1.34.0.2

As the situation is very dynamic, there are further security risks with a lower score in Log4j 2.15.0 found. Log4j 2.16.0 is already available and the next bugfix release of PTV xServer 1.34 is in preparation to integrate it (same for PTV xServer 2.25). Anyway, we recommend to use the just released PTV xServer versions as the security risk with the highest score is fixed with them.

For on-premise solutions you can download the latest version from the PTV xServer Customer Area: https://www.ptvgroup.com/en/solutions/products/ptv-xserver/customer-area/ (login and license required)

The cloud solution PTV xServer internet using PTV xServer 1.34 is already patched. Check the Cluster Overview page to get more information about existing PTV xServer internet deployments.