Primavera P6 Web Security Vulnerability

Monday, March 27, 2017

Urgency

High – a customer system has been compromised by this vulnerability and remote attackers gained access to the server.

Who this affects:

Customers who have any version of P6 Web Access that is externally accessible from the Internet. Customers who have P6 Web Access that is only available within their network are not under as high of a risk, but should still consider upgrading/patching.

What is the risk?

There is a security vulnerability in P6 Web and Oracle Weblogic that could allow remote attackers to gain access to the server running P6 Web.

Hosted Solution

Nu Solutions offers a hosted solution using Amazon Web Services for Primavera users starting at $50 per month. Cloud security at AWS is the highest priority. Oracle Critical patch sets are applied when released.  Nightly back-ups, 99.6% up time, etc.  Users can connect anywhere in the US & Canada.  Please contact jake@nu-solutions.com for more info.

Oracle has released a Critical Patch update that includes the Primavera Web applications. One of the vulnerabilities in P6 Web Access is rated a “10” score, which is the highest severity. Per this web page, https://www.infosecurity-magazine.com/news/oracle-admins-faced-270-fixes/ the exploit could allow remote access to a Primavera Web Access system to add, modify, or delete data.

The Solution

The patchsets listed below are required to mitigate the vulnerability for each release, except for R8.2 which is no longer patched for security issues, and must be upgraded to a more recent release.

Oracle Support Document 2212754.1 (Critical Patch Update January 2017 Patch Availability Document for Oracle Primavera Products) can be found at: https://support.oracle.com/epmos/faces/DocumentDisplay?id=2212754.1