Siemens Digital Industries Software has released an official statement regarding Opcenter (Preactor) Planning & Scheduling‘s vulnerability to the Log4j attack. All end users can breathe a sigh of relief as this does not affect Opcenter APS. Additionally, end users can delete the Log4j.jar that is located within the example folder of the Network License Manager (NLM) with no impact on Opcenter APS. Below is the official statement from Siemens.
Opcenter Log4j Vulnerability Details
Siemens is aware and reviewing the two Log4j vulnerabilities recently announced by Apache:
- CVE-2021-44228 (for versions 2.0 to 2.14.1)
- CVE-2021-45046 (version 2.15.0)
Products and components belonging to the Opcenter APS product family do not use Log4j and are therefore not impacted.
Log4j vulnerability impact on Network License Manager (FlexNet Publisher (FNP))
CVE-2021-44228 has been determined to impact an optional alerter module found under examples within lmadmin (FlexNet Publisher Network License Manager).
FNP is not vulnerable to log4j vulnerability. It is just used in the example. Customers not using this example of the alerter module are not impacted.
Work Around (If implemented):
Download the latest version of Log4j like 2.16 (or latest) then replace the following file in this path
C:\Program Files (x86)\Siemens\Network License Manager\examples\alerter\lib
- Product: OPCENTER_APS
- Product: PREACTOR
See Siemens’ original statement here.
If you have additional questions or concerns, please reach out to us at [email protected].