An email went out to all Windchill customers alerting them to install a security patch from PTC. A copy of the email that went out to customers as well as additional details on this issue can be found below.
Customer Announcement
September 23, 2010
PTC has identified a security issue that could potentially allow an unauthorized user to gain access to a Windchill system.
This vulnerability affects all maintenance builds for the 9.0 and 9.1 releases of Windchill solutions including:
- Windchill PDMLink
- Windchill ProjectLink
- Pro/INTRALINK
- Arbortext Content Manager
PTC has developed and tested a patch that will fix this issue. It is available for download to all Windchill users who are on active maintenance. Please visit the Windchill customer support page for instructions and information on how to download this patch.
For additional details on this issue, please see TAN 151324.
While PTC Technical Support is not aware of any customer who has experienced such an unauthorized entry, we strongly recommend that all Windchill customers install this update immediately. Please contact your local Technical Support team if you have any questions.
The security of customer data and systems is a top priority concern at PTC and we rigorously review and continuously improve our solutions in this area. Thus, I would encourage you to subscribe to our automated support system so that we can proactively and immediately advise you of any issues in the future.
Windchill Security Patch FAQ
What versions of Windchill are affected by this issue?
All maintenance builds of Windchill 9.0 and 9.1.
What specific code or instructions were affected? How can a customer reproduce or exploit this problem so they can test the issue?
We are not providing these details. It would be irresponsible for PTC to generally divulge that information. We have committed to all of our customers that specific details of any vulnerability will not be revealed. We have done extensive testing with these patches and are confident that the currently known exploits have been fixed. (Note: There are NO exceptions to this rule)
Where can I find more details about this patch?
Details can be found in TAN 151324.
How long has PTC known about this vulnerability?
PTC discovered this vulnerability less than 24 hours before the first patches became available.
What effects will the customer see after running this patch?
In testing there were no effects seen. As with all patches, we did recommend backing up the Windchill codebase directory prior to deploying. This patch does not affect any database tables or LDAP information.
What impact does the patch have on customizations?
This patch makes a small change to an area of Windchill where customization is not supported. Customization should not be impacted by this issue.
For more information
Documentation supporting Arbortext is delivered in the Arbortext Editor Help Center. You can download the release notes for this and all recent releases from the Reference Documentation area of the PTC web site at ptc.com.
Key Concepts:
arbortext content manager (windchill), release notes