Opcenter APS Log4j Vulnerability Update

Siemens Digital Industries Software has released an official statement regarding Opcenter (Preactor) Planning & Scheduling‘s vulnerability to the Log4j attack. All end users can breathe a sigh of relief as this does not affect Opcenter APS. Additionally, end users can delete the Log4j.jar that is located within the example folder of the Network License Manager (NLM) with no impact on Opcenter APS. Below is the official statement from Siemens.


Opcenter Log4j Vulnerability Details

Siemens is aware and reviewing the two Log4j vulnerabilities recently announced by Apache:

  • CVE-2021-44228 (for versions 2.0 to 2.14.1)
  • CVE-2021-45046 (version 2.15.0)

Products and components belonging to the Opcenter APS product family do not use Log4j and are therefore not impacted.

—————————————————————————
Log4j vulnerability impact on Network License Manager (FlexNet Publisher (FNP))
CVE-2021-44228 has been determined to impact an optional alerter module found under examples within lmadmin (FlexNet Publisher Network License Manager).
FNP is not vulnerable to log4j vulnerability. It is just used in the example. Customers not using this example of the alerter module are not impacted.

Work Around (If implemented):
Download the latest version of Log4j like 2.16 (or latest) then replace the following file in this path
C:\Program Files (x86)\Siemens\Network License Manager\examples\alerter\lib
From
log4j-1.2-api-2.13.3.jar
log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
Replace to
log4j-1.2-api-2.16.0.jar
log4j-api-2.16.0.jar
log4j-core-2.16.0.jar


SFB-OPCENTER_APS-8601478
Product Information:

  • Product: OPCENTER_APS
  • Product: PREACTOR

See Siemens’ original statement here.

If you have additional questions or concerns, please reach out to us at [email protected].

Scroll to Top