Protect your Primavera Enterprise systems from Malicious attacks

April 24, 2020

Background

Any application using Apache Struts is at risk of several well-known, well-used, vulnerabilities.  The hacking of Equifax (in 2017) began with an attack against Apache Struts; this attack allowed the attackers to install their own code inside the Equifax network and browse for months, harvesting sensitive data.

  1. P6 Enterprise utilized Apache Struts in all versions until R18.4; all versions prior to R18.4 are vulnerable
  2. Oracle Weblogic (used to deploy P6 Enterprise) has used Apache Struts in all versions; all unpatched versions are vulnerable. Patches for Weblogic are being produced for Weblogic 12.2.1.x; all older versions must be upgraded and then patched to remain secure.

Solution

Based upon latest guidance, the most secure environment consists of the following:

  1. Oracle Weblogic version 12.2.1.4 with latest patchsets; any older Weblogic versions must be upgraded.
  2. P6 Enterprise R18.8 or R19.12, with latest patchsets; any older P6 Enterprise versions must be upgraded.

 

How to check which versions you currently have:

 

Check Weblogic version on the Console Login page for Weblogic, typically located at http://servername:7001/console

Check P6 Enterprise version from the login page: