With news of a Log4j vulnerability, we would like customers to know that this does not affect Opcenter APS systems. And for peace of mind you can delete the Log4j.jar that is located within the example folder of Network License manager with no impact on Opcenter APS.
Please See below for Siemens Latest statement on the matter.
https://support.sw.siemens.com/en-US/knowledge-base/PL8601478
Update on the impact of the Apache Log4j vulnerability on the Opcenter APS product family
DETAILS
Siemens is aware and reviewing the two Log4j vulnerabilities recently announced by Apache:
- CVE-2021-44228 (for versions 2.0 to 2.14.1)
- CVE-2021-45046 (version 2.15.0)
Products and components belonging to the Opcenter APS product family do not use Log4j and are therefore not impacted.
—————————————————————————
Log4j vulnerability impact on Network License Manager (FlexNet Publisher (FNP))
CVE-2021-44228 has been determined to impact an optional alerter module found under examples within lmadmin (FlexNet Publisher Network License Manager).
FNP is not vulnerable to log4j vulnerability. It is just used in the example. Customers not using this example of the alerter module are not impacted.
Work Around (If implemented):
Download the latest version of Log4j like 2.16 (or latest) then replace the following file in this path
C:\Program Files (x86)\Siemens\Network License Manager\examples\alerter\lib
From
log4j-1.2-api-2.13.3.jar
log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
Replace to
log4j-1.2-api-2.16.0.jar
log4j-api-2.16.0.jar
log4j-core-2.16.0.jar
SFB-OPCENTER_APS-8601478
Product Information:
- Product: OPCENTER_APS
- Product: PREACTOR