Primavera P6 Support
Protect your Primavera Enterprise systems from Malicious attacks
April 24, 2020
Background
Any application using Apache Struts is at risk of several well-known, well-used, vulnerabilities. The hacking of Equifax (in 2017) began with an attack against Apache Struts; this attack allowed the attackers to install their own code inside the Equifax network and browse for months, harvesting sensitive data.
- P6 Enterprise utilized Apache Struts in all versions until R18.4; all versions prior to R18.4 are vulnerable
- Oracle Weblogic (used to deploy P6 Enterprise) has used Apache Struts in all versions; all unpatched versions are vulnerable. Patches for Weblogic are being produced for Weblogic 12.2.1.x; all older versions must be upgraded and then patched to remain secure.
Solution
Based upon latest guidance, the most secure environment consists of the following:
- Oracle Weblogic version 12.2.1.4 with latest patchsets; any older Weblogic versions must be upgraded.
- P6 Enterprise R18.8 or R19.12, with latest patchsets; any older P6 Enterprise versions must be upgraded.
How to check which versions you currently have:
Check Weblogic version on the Console Login page for Weblogic, typically located at http://servername:7001/console
Check P6 Enterprise version from the login page: