CVE-2021-44228 and Your Oracle E-Business Suite/Fusion Middleware Systems

Posted in: Oracle, Technical Track
CVE-2022-21500

For many of us, the recent log4j vulnerability (CVE-2021-44228) became a severe headache this past weekend. I thought we’d publish a summary of some of our findings gathered so far. We’ll  keep it updated with news and details published by Oracle as soon as they appear on our radar.

The background

Some of our customers were under such stress that it was better to shut down or isolate all public internet-facing applications until the situation is resolved with official patches applied. I don’t recall the last time we’ve had to deal with a CVE score of 10.0. To make things worse, we know that we’ve had to live with this vulnerability for the last eight  years, but  it’s only become public now.

Products confirmed affected:

* – There is a trick behind release 12.2.1.3 – it contains the log4j-1.2.17.jar file. The base release has unaffected 1.2.17, but later WLS PSU delivers the affected 2.x under the same jar file name.

# Base 12.2.1.3.0

$ unzip -p $ORACLE_HOME/oracle_common/modules/thirdparty/log4j-1.2.17.jar META-INF/MANIFEST.MF | grep -e Implementation-Version -e Bundle-Version
Bundle-Version: 1.2.17
Implementation-Version: 1.2.17
$ 

# WLS PATCH SET UPDATE 12.2.1.3.210929

Implementation-Version: 2.12.1
Bundle-Version: 2.12.1

# Overlay patch 33660731

Implementation-Version: 2.15.0
Bundle-Version: 2.15.0

Products confirmed not affected:

  • Oracle WebLogic Server *
  • Oracle HTTP Server
  • Oracle Internet Directory
  • Oracle Access Manager **
  • Oracle Database
  • Oracle ODA/Exadata/Exalogic/Exalytics base image software

* – Vulnerable Log4j jars are included in 12cR2+ third-party directories and optionally may be included by the applications deployed, but not by default.
** – We didn’t find it using the jars located with Weblogic. Initially, it was listed as an affected product in the MOS note but later moved to the unaffected section confirming our initial assumptions.

Updates

EM agents we have checked include Log4j 1.x and confirmed as not affected. But some recent EM agents do include Log4j 2.11.1. Oracle has released Security Alert CVE-2021-44228 Patch Availability Document for Oracle Enterprise Manager Cloud Control (Doc ID 2828296.1) note with the official workaround.

It was discovered that DB home installs Log4j 2.11 for the Spatial/Graph component. However, the external exposure risk isn’t clear yet.
With 19c, these are being delivered as a special separate installation. By default, it’s included in DB home only in 12.2, 18c, and 21c.
Patch 33661960 has been released to update the Spatial client jars but is available only for 12.2.0.1.211019, 18.16, and 21.4.

AHF and TFA include the affected Log4j classes. However, the external exposure risk isn’t clear yet. Version 21.3.0.0.0 includes the fix (Patch 30166242).

IDM 11g stack (OID 11.1.1.9 and OAM 11.1.2.3) use Log4j 1.1.1 and 1.2.x in various places. Confirmed as not affected. Likely, all the problems are with the 12.2.1.3/4 release version.

Oracle has released Security Alert CVE-2021-44228 Patch Availability Document for Oracle Fusion Middleware (Doc ID 2827793.1) note with the official workaround (please reference the Workarounds section below).

Oracle has released CVE-2021-44228 Advisory for Oracle E-Business Suite (Apache log4j Vulnerabilities) (Doc ID 2827804.1) note with the official workaround. R12.2 with R12.TXK.C.Delta.12+ is affected only.

Oracle Access Manager 12c was not confirmed as affected. Still, it doesn’t cover the general Fusion Middleware Infrastructure impact.

Doc ID 2827793.1 (Oracle Fusion Middleware) has been updated with the Weblogic/Infrastructure patches released for 12.2.1.3 and 12.2.1.4.

Oracle E-Business Suite with Enterprise Command Centers – apply the appropriate Fusion Middleware Infrastructure/WebLogic patches to the ECC FMW Home.

The official workaround for Oracle E-Business Suite and Fusion Middleware has been changed to the option of removing the JndiLookup.class from jar files only to mitigate the CVE-2021-45046.

New overlay patches are released for FMW 12.2.1.3 and 12.2.1.4 for both CVE-2021-44228 and CVE-2021-45046 delivering Log4j 2.16.

Oracle E-Business Suite with Extensions for Endeca – apply Patch 33660626.

Dedicated MOS notes released for OBI EE, WebCenter Portal/Sites (links are under the references section).

Oracle E-Business Suite now has an official Patch 33672402:R12.TXK.C released.

Added CVE-2021-45105 and Log4j version 2.17 release reference by the Apache Foundation (DOS risk mitigation for the lookup). No information around it on the Oracle side.

Oracle E-Business Suite with Enterprise Command Centers implemented – additional patches listed (reference Doc ID 2827804.1).

Enterprise Manager – patches started to show up (reference Doc ID 2828296.1).

A new note has been released to explain the Database impact (reference Doc ID 2828877.1). It describes the Spatial and TFA impact.

The main MOS note (Doc ID 2827611.1) has been updated with all the products as concluded for research.

Fusion Middleware has a new overlay now including Apache Log4j version 2.17 (including the latest covered CVE-2021-45105).

WebCenter Sites 12.2.1.4 now has the patches released (reference Doc ID 2828507.1).
WebCenter Portal patch updates based on Apache Log4j version 2.17.

 

Oracle EBS impact state

The research in the EBS area is displayed below.

R12.1.3: breathe and stay calm–it’s not running the affected versions:

$ ls -l /proc/*/fd 2>/dev/null | grep log4j
$ find /u01/EBSPROD/apps -name "*log4j*.jar"
/u01/EBSPROD/apps/tech_st/10.1.3/ant/lib/ant-apache-log4j.jar
/u01/EBSPROD/apps/tech_st/10.1.3/jlib/soaprov/lib/log4j_1.2.8.jar
/u01/EBSPROD/apps/tech_st/10.1.3/j2ee/oafm/applications/ascontrol/ascontrol/WEB-INF/lib/ojdl-log4j.jar
/u01/EBSPROD/apps/tech_st/10.1.3/j2ee/oafm/applications/ascontrol/ascontrol/WEB-INF/lib/log4j-core.jar
/u01/EBSPROD/apps/tech_st/10.1.3/diagnostics/lib/ojdl-log4j.jar
/u01/EBSPROD/apps/tech_st/10.1.2/sysman/jlib/log4j-core.jar
/u01/EBSPROD/apps/tech_st/10.1.2/sysman/webapps/emd/WEB-INF/lib/log4j-core.jar
/u01/EBSPROD/apps/tech_st/10.1.2/sysman/admin/emdrep/lib/log4j.jar
/u01/EBSPROD/apps/tech_st/10.1.2/diagnostics/lib/ojdl-log4j.jar
$ ls -l /u01/EBSPROD/apps/apps_st/comn/java/lib/log4j*
ls: cannot access /u01/EBSPROD/apps/apps_st/comn/java/lib/log4j*: No such file or directory
$ while read f
> do
>   echo "### $(basename ${f})"
>   unzip -p ${f} META-INF/MANIFEST.MF README_log4j_core.txt README_log4j_1_2_api.txt README_log4j_api.txt 2>/dev/null | egrep -e "Implementation-Version" -e "Log4j.*libraries"
> done<<EOF
> /u01/EBSPROD/apps/tech_st/10.1.2/diagnostics/lib/ojdl-log4j.jar
> /u01/EBSPROD/apps/tech_st/10.1.2/sysman/admin/emdrep/lib/log4j.jar
> /u01/EBSPROD/apps/tech_st/10.1.2/sysman/jlib/log4j-core.jar
> /u01/EBSPROD/apps/tech_st/10.1.2/sysman/webapps/emd/WEB-INF/lib/log4j-core.jar
> /u01/EBSPROD/apps/tech_st/10.1.3/ant/lib/ant-apache-log4j.jar
> /u01/EBSPROD/apps/tech_st/10.1.3/diagnostics/lib/ojdl-log4j.jar
> /u01/EBSPROD/apps/tech_st/10.1.3/j2ee/oafm/applications/ascontrol/ascontrol/WEB-INF/lib/log4j-core.jar
> /u01/EBSPROD/apps/tech_st/10.1.3/j2ee/oafm/applications/ascontrol/ascontrol/WEB-INF/lib/ojdl-log4j.jar
> /u01/EBSPROD/apps/tech_st/10.1.3/jlib/soaprov/lib/log4j_1.2.8.jar
> EOF
### ojdl-log4j.jar
### log4j.jar
Implementation-Version: 1.1.3
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-core.jar
Implementation-Version: 1.1.1
### ant-apache-log4j.jar
Implementation-Version: 1.6.5
### ojdl-log4j.jar
### log4j-core.jar
Implementation-Version: 1.1.1
### ojdl-log4j.jar
### log4j_1.2.8.jar
Implementation-Version: 1.2.8
$

 

R12.2 – Log4j 2.11.1 is there under the JAVA_TOP and $FND_TOP (R12.TXK.C.Delta.12+ is affected only):

$ ls -l /proc/*/fd 2>/dev/null | grep log4j
lr-x------ 1 oracle dba 64 Dec 11 18:45 48 -> /u01/EBSPROD/fs2/FMW_Home/modules/org.apache.ant_1.7.1/lib/ant-apache-log4j.jar
lr-x------ 1 oracle dba 64 Dec 11 16:42 494 -> /u01/EBSPROD/fs2/FMW_Home/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/log4j-1.2.8.jar
lr-x------ 1 oracle dba 64 Dec 11 16:42 497 -> /u01/EBSPROD/fs2/FMW_Home/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/log4j-1.2.17-16.jar
lr-x------ 1 oracle dba 64 Dec 11 16:42 779 -> /u01/EBSPROD/fs2/FMW_Home/user_projects/domains/EBS_domain/servers/AdminServer/tmp/_WL_user/emcore/28c293/WEB-INF/lib/log4j-core.jar
lr-x------ 1 oracle dba 64 Dec 11 17:03 50 -> /u01/EBSPROD/fs2/FMW_Home/modules/org.apache.ant_1.7.1/lib/ant-apache-log4j.jar
lr-x------ 1 oracle dba 64 Dec 11 18:45 801 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_1_2_api.jar
lr-x------ 1 oracle dba 64 Dec 11 18:45 802 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_api.jar
lr-x------ 1 oracle dba 64 Dec 11 18:45 803 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_core.jar
lr-x------ 1 oracle dba 64 Dec 11 17:03 51 -> /u01/EBSPROD/fs2/FMW_Home/modules/org.apache.ant_1.7.1/lib/ant-apache-log4j.jar
lr-x------ 1 oracle dba 64 Dec 11 17:03 811 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_1_2_api.jar
lr-x------ 1 oracle dba 64 Dec 11 17:03 812 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_api.jar
lr-x------ 1 oracle dba 64 Dec 11 17:03 813 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_core.jar
lr-x------ 1 oracle dba 64 Dec 11 17:03 50 -> /u01/EBSPROD/fs2/FMW_Home/modules/org.apache.ant_1.7.1/lib/ant-apache-log4j.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 50 -> /u01/EBSPROD/fs2/FMW_Home/modules/org.apache.ant_1.7.1/lib/ant-apache-log4j.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 322 -> /u01/EBSPROD/fs2/FMW_Home/modules/org.apache.ant_1.7.1/lib/ant-apache-log4j.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 89 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_1_2_api.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 90 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_api.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 91 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_core.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 322 -> /u01/EBSPROD/fs2/FMW_Home/modules/org.apache.ant_1.7.1/lib/ant-apache-log4j.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 89 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_1_2_api.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 90 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_api.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 91 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_core.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 322 -> /u01/EBSPROD/fs2/FMW_Home/modules/org.apache.ant_1.7.1/lib/ant-apache-log4j.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 89 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_1_2_api.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 90 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_api.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 91 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_core.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 322 -> /u01/EBSPROD/fs2/FMW_Home/modules/org.apache.ant_1.7.1/lib/ant-apache-log4j.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 89 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_1_2_api.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 90 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_api.jar
lr-x------ 1 oracle dba 64 Dec 11 15:44 91 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_core.jar
lr-x------ 1 oracle dba 64 Dec 11 17:03 322 -> /u01/EBSPROD/fs2/FMW_Home/modules/org.apache.ant_1.7.1/lib/ant-apache-log4j.jar
lr-x------ 1 oracle dba 64 Dec 11 17:03 89 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_1_2_api.jar
lr-x------ 1 oracle dba 64 Dec 11 17:03 90 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_api.jar
lr-x------ 1 oracle dba 64 Dec 11 17:03 91 -> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_core.jar
$ while read f
> do
>   echo "### $(basename ${f})"
>   unzip -p ${f} META-INF/MANIFEST.MF README_log4j_core.txt README_log4j_1_2_api.txt README_log4j_api.txt 2>/dev/null | egrep -e "Implementation-Version" -e "Log4j.*libraries"
> done<<EOF
> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_1_2_api.jar
> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_api.jar
> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_core.jar
> /u01/EBSPROD/fs2/FMW_Home/modules/org.apache.ant_1.7.1/lib/ant-apache-log4j.jar
> /u01/EBSPROD/fs2/FMW_Home/user_projects/domains/EBS_domain/servers/AdminServer/tmp/_WL_user/emcore/28c293/WEB-INF/lib/log4j-core.jar
> /u01/EBSPROD/fs2/FMW_Home/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/log4j-1.2.17-16.jar
> /u01/EBSPROD/fs2/FMW_Home/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/log4j-1.2.8.jar
> EOF
### log4j_1_2_api.jar
Log4j 2.11.1 libraries repackaged for installation by Oracle Applications
### log4j_api.jar
Log4j 2.11.1 libraries repackaged for installation by Oracle Applications
### log4j_core.jar
Log4j 2.11.1 libraries repackaged for installation by Oracle Applications
### ant-apache-log4j.jar
Implementation-Version: 1.9.15
### log4j-core.jar
Implementation-Version: 1.2.13
Implementation-Version: 1.2.13
### log4j-1.2.17-16.jar
Implementation-Version: 1.2.17-16
### log4j-1.2.8.jar
$ find $RUN_BASE/ -name log4j*.jar
/u01/EBSPROD/fs2/inst/apps/EBSPROD_ebsprodapp01/logs/appl/rgf/TXK/CLONINGCLIENT-3875884968495143198/ouienginebinary1599588362119/oui/jlib/jlib/log4j-core.jar
/u01/EBSPROD/fs2/EBSapps/appl/fnd/12.0.0/java/3rdparty/stdalone/log4j_core.jar
/u01/EBSPROD/fs2/EBSapps/appl/fnd/12.0.0/java/3rdparty/stdalone/log4j_1_2_api.jar
/u01/EBSPROD/fs2/EBSapps/appl/fnd/12.0.0/java/3rdparty/stdalone/log4j_1_2_13.jar
/u01/EBSPROD/fs2/EBSapps/appl/fnd/12.0.0/java/3rdparty/stdalone/log4j_api.jar
/u01/EBSPROD/fs2/EBSapps/10.1.2/sysman/jlib/log4j-core.jar
/u01/EBSPROD/fs2/EBSapps/10.1.2/sysman/webapps/emd/WEB-INF/lib/log4j-core.jar
/u01/EBSPROD/fs2/EBSapps/10.1.2/sysman/admin/emdrep/lib/log4j.jar
/u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_core.jar
/u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_1_2_api.jar
/u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_1_2_13.jar
/u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_api.jar
/u01/EBSPROD/fs2/EBSapps/comn/clone/prereq/webtier/oui/jlib/jlib/log4j-core.jar
/u01/EBSPROD/fs2/EBSapps/comn/adopclone_ebsprodapp01/prereq/webtier/oui/jlib/jlib/log4j-core.jar
/u01/EBSPROD/fs2/EBSapps/comn/adopclone_ebsprodapp01/OCM/webtier/ccr/lib/log4j-core.jar
/u01/EBSPROD/fs2/EBSapps/comn/adopclone_ebsprodapp01/OCM/utils/ccr/lib/log4j-core.jar
/u01/EBSPROD/fs2/FMW_Home/Oracle_OAMWebGate1/oui/jlib/jlib/log4j-core.jar
/u01/EBSPROD/fs2/FMW_Home/webtier/ccr/lib/log4j-core.jar
/u01/EBSPROD/fs2/FMW_Home/webtier/oui/jlib/jlib/log4j-core.jar
/u01/EBSPROD/fs2/FMW_Home/webtier/OPatch/ocm/lib/log4j-core.jar
/u01/EBSPROD/fs2/FMW_Home/user_projects/domains/EBS_domain/servers/AdminServer/tmp/_WL_user/emcore/28c293/WEB-INF/lib/log4j-core.jar
/u01/EBSPROD/fs2/FMW_Home/Oracle_EBS-app1/ccr/lib/log4j-core.jar
/u01/EBSPROD/fs2/FMW_Home/Oracle_EBS-app1/oui/jlib/jlib/log4j-core.jar
/u01/EBSPROD/fs2/FMW_Home/Oracle_EBS-app1/oui/jlib/lib/log4j-core.jar
/u01/EBSPROD/fs2/FMW_Home/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/log4j-1.2.8.jar
/u01/EBSPROD/fs2/FMW_Home/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/log4j-1.2.17-16.jar
/u01/EBSPROD/fs2/FMW_Home/oracle_common/oui/jlib/jlib/log4j-core.jar
/u01/EBSPROD/fs2/FMW_Home/oracle_common/OPatch/ocm/lib/log4j-core.jar
/u01/EBSPROD/fs2/FMW_Home/oracle_common/sysman/jlib/log4j-core.jar
/u01/EBSPROD/fs2/FMW_Home/utils/ccr/lib/log4j-core.jar
$ while read f
> do
>   echo "### $(basename ${f})"
>   unzip -p ${f} META-INF/MANIFEST.MF README_log4j_core.txt README_log4j_1_2_api.txt README_log4j_api.txt 2>/dev/null | egrep -e "Implementation-Version" -e "Log4j.*libraries"
> done< /u01/EBSPROD/fs2/inst/apps/EBSPROD_ebsprodapp01/logs/appl/rgf/TXK/CLONINGCLIENT-3875884968495143198/ouienginebinary1599588362119/oui/jlib/jlib/log4j-core.jar
> /u01/EBSPROD/fs2/EBSapps/appl/fnd/12.0.0/java/3rdparty/stdalone/log4j_core.jar
> /u01/EBSPROD/fs2/EBSapps/10.1.2/sysman/jlib/log4j-core.jar
> /u01/EBSPROD/fs2/EBSapps/10.1.2/sysman/webapps/emd/WEB-INF/lib/log4j-core.jar
> /u01/EBSPROD/fs2/EBSapps/comn/java/lib/log4j_core.jar
> /u01/EBSPROD/fs2/EBSapps/comn/clone/prereq/webtier/oui/jlib/jlib/log4j-core.jar
> /u01/EBSPROD/fs2/EBSapps/comn/adopclone_ebsprodapp01/prereq/webtier/oui/jlib/jlib/log4j-core.jar
> /u01/EBSPROD/fs2/EBSapps/comn/adopclone_ebsprodapp01/OCM/webtier/ccr/lib/log4j-core.jar
> /u01/EBSPROD/fs2/EBSapps/comn/adopclone_ebsprodapp01/OCM/utils/ccr/lib/log4j-core.jar
> /u01/EBSPROD/fs2/FMW_Home/Oracle_OAMWebGate1/oui/jlib/jlib/log4j-core.jar
> /u01/EBSPROD/fs2/FMW_Home/webtier/ccr/lib/log4j-core.jar
> /u01/EBSPROD/fs2/FMW_Home/webtier/oui/jlib/jlib/log4j-core.jar
> /u01/EBSPROD/fs2/FMW_Home/webtier/OPatch/ocm/lib/log4j-core.jar
> /u01/EBSPROD/fs2/FMW_Home/user_projects/domains/EBS_domain/servers/AdminServer/tmp/_WL_user/emcore/28c293/WEB-INF/lib/log4j-core.jar
> /u01/EBSPROD/fs2/FMW_Home/Oracle_EBS-app1/ccr/lib/log4j-core.jar
> /u01/EBSPROD/fs2/FMW_Home/Oracle_EBS-app1/oui/jlib/jlib/log4j-core.jar
> /u01/EBSPROD/fs2/FMW_Home/Oracle_EBS-app1/oui/jlib/lib/log4j-core.jar
> /u01/EBSPROD/fs2/FMW_Home/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/log4j-1.2.17-16.jar
> /u01/EBSPROD/fs2/FMW_Home/oracle_common/oui/jlib/jlib/log4j-core.jar
> /u01/EBSPROD/fs2/FMW_Home/oracle_common/OPatch/ocm/lib/log4j-core.jar
> /u01/EBSPROD/fs2/FMW_Home/oracle_common/sysman/jlib/log4j-core.jar
> /u01/EBSPROD/fs2/FMW_Home/utils/ccr/lib/log4j-core.jar
> EOF
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j_core.jar
Log4j 2.11.1 libraries repackaged for installation by Oracle Applications
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j_core.jar
Log4j 2.11.1 libraries repackaged for installation by Oracle Applications
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-core.jar
Implementation-Version: 1.2.13
Implementation-Version: 1.2.13
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-1.2.17-16.jar
Implementation-Version: 1.2.17-16
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-core.jar
Implementation-Version: 1.1.1
### log4j-core.jar
Implementation-Version: 1.2.13
Implementation-Version: 1.2.13
### log4j-core.jar
Implementation-Version: 1.1.1
$

 

Workarounds

  1. Upgrade to Log4j v2.15.0. Theoretically, there is a chance to replace the libraries until an official patch is released manually. Update 1: An interesting read came across here which mentions version 2.15.0 is not safe enough and tracks another CVE-2021-45046. Version 2.16.0 is the target with JNDI switched off completely. Update 2: Apache foundation has released version 2.17.0 covering the CVE-2021-45105 (base score 7.5, DOS risks).
  2. Add -Dlog4j2.formatMsgNoLookups=true to the Java parameters via the Weblogic console and restart your managed servers. Update: It does not mitigate CVE-2021-45046 affecting 2.15.0 too.
  3. Add LOG4J_FORMAT_MSG_NO_LOOKUPS=true to the environment starting the Java server processes. Update: It does not mitigate CVE-2021-45046 affecting 2.15.0 too.
  4. Remove the JndiLookup class from the classpath. It may raise exceptions, but it should not impact the application.
zip -q -d <log4j impacted jar file> org/apache/logging/log4j/core/lookup/JndiLookup.class
  1. Hotpatch the lookup() method (reference). The fix is not applicable for Oracle EBS due to JDK 7.

So far, we’ve tested only the -Dlog4j2.formatMsgNoLookups=true approach.
And now actively getting the JndiLookup.class removed from all the affected jar files.

Official solutions

Oracle has released Security Alert CVE-2021-44228 Patch Availability Document for Oracle Fusion Middleware (Doc ID 2827793.1) note with the official workaround similar to our mentioned above lines 2 and 4. And patch options are available now.

  1. Log4j version 2.0 to 2.9 – remove JndiLookup.class from all log4j-core-*.jar files found under the FMW home.
  2. Log4j version 2.10.0 to 2.14.1 – add -Dlog4j2.formatMsgNoLookups=true. Update: It does not mitigate CVE-2021-45046 affecting 2.15.0 too.
  3. 12.2.1.3.0 – Patch 33412599 WLS PATCH SET UPDATE 12.2.1.3.210929 + Patch 33691226 WLS OVERLAY PATCH FOR 12.2.1.3.0 OCT 2021 PSU for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105
  4. 12.2.1.4.0 – Patch 31960985 WLS PATCH SET UPDATE 12.2.1.4.210930 + Patch 33691226 WLS OVERLAY PATCH FOR 12.2.1.4.0 OCT 2021 PSU for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105

Oracle has released CVE-2021-44228 Advisory for Oracle E-Business Suite (Apache log4j Vulnerabilities) (Doc ID 2827804.1) note. Initially, the official workaround was our mentioned above line 3. Now it’s changed to line 4. And patch option is available now.

  1. Remove JndiLookup.class from $FND_TOP/java/3rdparty/stdalone/log4j_core.jar and $JAVA_TOP/lib/log4j_core.jar.
  2. R12.TXK.C.Delta.12+: Patch 33672402: Fix for Bug 33672402

Apply the Fusion Middleware Infrastructure/WebLogic patches listed above to the ECC FMW Home if Enterprise Command Centers have been implemented. Other ECC related patches listed depending on the version deployed.
Apply Patch 33660626 if Extensions for Endeca have been implemented.

References

 

CPU-JAN-2022 security updates have been released. Good luck with the patching.
Last revision date: 04-JAN-2022

email
Want to talk with an expert? Schedule a call with our team to get the conversation started.

6 Comments. Leave new

Thanks. Looks like 2827804.1 has been updated with new mitigation plan. Please check.

Reply
Andrejs Prokopjevs
December 16, 2021 3:41 am

Right. All because of the additional CVE-2021-45046. Just submitted the updates to the blog post. Thanks.

Reply

Hi, thank you for this great article !

I have a question concerning Log4J v1.x. I understand that it’s not affected by CVE-2021-44228 and CVE-2021-45046.

Why does Oracle is not talking about Log4J v1.x CVE-2019-17571 that score 9.8 on CVSSv3 and that is included in many products like Oracle Enterprise Manager 13.4 and OEM Agent 13.4 ?

Reply
Andrejs Prokopjevs
December 20, 2021 2:26 am

I remember CVE-2019-17571. It was covered in April 2020 for the Weblogic core server part. For other products, it was marked as non-exploitable CVE (if I recall it correctly).

Reply

According to “Security Alert For CVE-2019-17571 And Its Impact Oracle Enterprise Manager Cloud Control (Doc ID 2828836.1)” , EM and underlying Fusion Middleware are not impacted by this vulnerability.

Reply
Andrejs Prokopjevs
December 21, 2021 3:25 am

Thanks for the hint. It answers Vincent’s question.

Reply

Leave a Reply

Your email address will not be published.