How to handle the Apache Log4j zero-day exploit using PTV xServer on-premise

As the PTV xServer API versions 1.34 and 2.x are affected by the critical vulnerability in the Apache Log4j logging framework we work on updates integrating the security update Log4j 2.15.0. We will announce the new on-premise versions here and recommend to use them as soon as they are available.

On short notice you can take the following measures to mitigate the zero-day exploit: Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS in your system to true. This of course also has a positive affect on other applications on your system that uses the lookup function from Log4j.

Please note that this mitigation works for PTV xServer 1.34 and from PTV xServer 2.7 on. In case of using PTV xServer versions 2.0 to 2.6 you have to update them first.

Moreover the PTV Content Update Service 2.x is in the same way affected as PTV xServer 2.x and the mitigation also works from PTV Content Update Service 2.7 on.