First of all happy new year to everybody out there.
New year – new log4j Version!
On December 28th the new CVE-2021-44832 concerning log4j 2.17.0 has been newly disclosed.
Since we shipped the newest versions of the PTV xServer 1.34.0.3/4 family (see blog post from 22.12.2021) as well as the PTV xServer 2.25.3 (see blog post from 20.12.2021) with Log4j version 2.17.0 just before Christmas, these versions are potentially affected by this new CVE.
Should we be worried about this?
First, when looking at https://logging.apache.org/log4j/2.x/security.html the severity of CVE-2021-44832 is classified as moderate as the attacker must have permissions to modify the log4j configuration file.
After a detailed analysis, we can say that no products hosted by PTV which are vulnerable to CVE-2021-44832 have been identified.
For all customers running PTV products, including the log4j version 2.17.0 on premise, please just make sure that no unauthorized person has write access to the log4j config file of your system. For PTV xServer installations, you can find the log4j config files (logging.xml and logging-module.xml) in the “conf” directory of your PTV xServer installation.
Because we think that the current CVE does not represent a critical problem for PTV products, we expect to update the latest versions of PTV xServer Family 1.34.0.3/4 and PTV xServer 2.25.3 (currently including log4j Version 2.17.0) to the next log4j 2.17.1 not before February 2022.
Of course, we will continue to follow the developments around log4j for you and keep you informed about further news.
Concerning further technical questions, please contact your Product Support.