Product Lifecycle Management
Page tree
Skip to end of metadata
Go to start of metadata

The interface does contain this component affected by this CVE.

Only deleting the affected Log4j files or replacing them with newer versions within an existing installation is not possible.

A solution is available starting from SP04 PL08 of SAP ECTR Interface to PTC Creo.

See SAP Note 2112629 for details.

Please also note PTC Creo 7 - Product Lifecycle Management - Community Wiki (sap.com) if you are using PTC Creo 7.



Additional information and recommendation:

As far as known, only software that accepts or processes external data is affected.

Normally SAP ECTR Interface to PTC Creo does not accept or process external data.


Recommended mitigation measures from Log4j vendor if a short-dated update from SP04 PL08 is not possible:

  • Set environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true

or

  • Delete JndiLookup from the classpath [APA2021b]:
    zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

to disable JNDI.


See also:

https://logging.apache.org/log4j/2.x/security.html

Kritische Schwachstelle in log4j veröffentlicht (CVE-2021-44228) (bund.de)


Additional information concerning other .riess engineering / SAP Software products

.riess engineering: Apache Log4J



  • No labels