How to handle the Log4j security issue with PTV xServer older than 1.34

With PTV xServer 1.34 we updated several third party components to recent versions. This also included a major update of Apache Log4j from version 1 (PTV xServer < 1.34) to version 2 (PTV xServer 1.34). As PTV xServer 1 is downward compatible only the latest PTV xServer 1 version gets updates and we recommend to use always the newest one. This is important not only because of the security issues in Log4j, but potentially also in other components.

In case it is not possible to update your PTV xServer 1 to version 1.34 on your system for any reason, you have to know the following:

  • Log4j 1 is no longer maintained and has reached end of life. The security issues will not be fixed by Apache.
  • Log4j 2 incorporates many architectural changes compared to version 1. It is not possible to just replace Log4j 1 files by Log4j 2 files in older PTV xServer versions.

The way PTV xServer older than 1.34 uses Log4j 1 in the shipped configuration should not affect the current security issue with Log4j. But of course, you can change this configuration for your purposes in many ways. Anyway, if you want to be on the safe side, we offer a patch of Log4j 1 for the PTV xServer versions 1.26 to 1.32. Therein we removed the affected classes as we do not use them anyway. With this patch you can just replace the existing Log4j 1 files in your PTV xServer installation.

You can download the Log4j 1 patch including a short documentation from the PTV xServer Customer Area (see ‘API Version 1 – Important Notes’): (login and license required)