On Friday 09.12.21 a critical vulnerability (Log4Shell) in the widely used Java library Log4j has been identified. According to the assessment of many authorities, this leads to an extremely critical threat situation, which is why, among others, the Federal Office for Information Security (BSI) in Germany has upgraded its existing cyber security warning to warning level red (see Common Vulnerabilities and Exposures at https://www.cve.org/CVERecord?id=CVE-2021-44228 and BSI at https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2021/211211_log4Shell_WarnstufeRot.html).
The affected component is also used in some PTV products. This affects both customer installations and the cloud offering of PTV Group.
We have therefore been working on updating the affected PTV products since the vulnerability was announced, see overview below.
On December 28th the new CVE-2021-44832 concerning log4j 2.17.0 has been newly disclosed. After a detailed analysis, we can say that no products hosted by PTV which are vulnerable to CVE-2021-44832 have been identified. For further information, please read our latest update on the Developer Blog.
List of products (affected, but patched)
- PTV xServer internet 1 / PTV xServer internet 2: Has already been patched in the currently used versions.
- PTV xServer 1.34 (on prem): Fixed by integrating Log4j 2.17.0.
- PTV xServer 2 (on prem): Fixed by integrating Log4j 2.17.0.
- PTV Content Update Service 2 (on prem): Fixed by integrating Log4j 2.17.0.
- PTV TLN planner internet: Has already been patched.
- PTV Route Optimizer SaaS / Demonstrator: Has already been patched.
- PTV Developer: Has already been patched.
- PTV Visum Publisher: Has already been patched.
- PTV Route Optimiser CL
- PTV Route Optimiser ST (on prem - xServer2) Fixed by integrating Log4j 2.17.0. and Patch 35 for Version 2019.2.1, Patch 29 for Version 2020.1 or Patch 17 for Version 2021.1 (20.12.21)
- Map&Market >= 2018
List of products (affected but mitigation available; customers informed):
- PTV MaaS Modeller
List of products (not affected)
- PTV xServer < 1.34 (on prem): When using default logging configuration. For more information see blogpost.
- PTV Route Optimiser ST (TourOpt)
- Map&Market <= 2017
- PTV Road Editor
- PTV Map&Guide internet
- PTV Map&Guide intranet
- PTV Navigator Licence Manager
- PTV Navigator App
- PTV Drive&Arrive App
- PTV Arrival Board / Trip Creator / EM Portal
- PTV Drive&Arrive
- PTV Visum
- PTV Vissim
- PTV Vistro
- PTV Viswalk
- PTV Balance and PTV Epics
- PTV Hyperpath
- PTV TRE and PTV Tre-Addin
- PTV Optima
- PTV Vistad Euska
For the vulnerability, there is already a security update from the manufacturer of Log4j. In addition, all products that use Log4j – including all affected PTV Products - must be adapted.
For cloud products, the update will be performed by PTV in its own data centers.
For customer-owned installations, we will provide an update in the short term and offer it for download. All customers will receive direct information about this in a timely manner.
Concerning further technical questions, please contact your Product Support.
Last updated: 03.01.2022 - 21:00