Apache Log4j Vulnerability CVE-2021-4428 in Oracle Products
Incident: A serious remote code execution vulnerability (CVE-2021-44228) has been reported for the third-party Log4j library component used by several P6 EPPM server components.
We are currently in communication with Oracle about what steps can be taken until a patch is released. We will keep you updated in the "News and Blog" section on our homepage.
The following Oracle Primavera P6 versions are currently affected by the Log4J vulnerability:
- Primavera P6 Enterprise Project Portfolio Management - Version 19.12 to 126.96.36.199 [Release 19.12].
- Primavera P6 Enterprise Project Portfolio Management - Version 20.12 to 188.8.131.52 [Release 20.12]
The following P6 EPPM modules are affected by the noted releases:
- P6 (Web)
- P6 Team Member
- P6 Web Services
- P6 Services (.jar and .war deployments)
- P6 Cloud Connect
- P6 Integration API
The vulnerability affects web applications and interfaces. It does not affect the P6 Professional Client unless it is configured to communicate via P6 Professional Cloud Connect.
This vulnerability does not affect P6 EPPM 18.X, 17.X or earlier release versions.
The impact of Apache Log4j vulnerability CVE-2021-44228 on Oracle products for versions and releases that are in Premier Support or Extended Support under the Oracle
Lifetime Support Policy are listed in the appropriate categories below.
Note from Oracle:
Product versions not under Premier Support or Extended Support are not tested for the presence of this vulnerability.
Apache reports that CVE-2021-44228 applies only to Log4j versions 2.0-2.14.1 and not to Log4j versions 1.x.