The interface does contain this component affected by this CVE.
Only deleting the affected Log4j files or replacing them with newer versions within an existing installation is not possible.
A solution is available starting from SP04 PL08 of SAP ECTR Interface to PTC Creo.
See SAP Note 2112629 for details.
Please also note PTC Creo 7 - Product Lifecycle Management - Community Wiki (sap.com) if you are using PTC Creo 7.
Additional information and recommendation:
As far as known, only software that accepts or processes external data is affected.
Normally SAP ECTR Interface to PTC Creo does not accept or process external data.
Recommended mitigation measures from Log4j vendor if a short-dated update from SP04 PL08 is not possible:
- Set environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true
- Delete JndiLookup from the classpath [APA2021b]:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
to disable JNDI.