Oracle, Technodiscovery

Oracle EBS R12.2 Fix log4j vulnerability in AD/TXK.Delta.12/13

Leave a comment

CVE-2021-44228 Advisory for Oracle E-Business Suite (Apache log4j Vulnerabilities) (Doc ID 2827804.1)

Applicability: Those who have either upgraded their 12.2 AD/TXK to either Delta.12/13 generally in preparation toward compatibility with 19c database upgrades, or have continuous patching policy promoting that component upgrade.

Prior AD/TXK releases did not employ the JNDI supporting log4j code.

The existing work-around fix, which later will be packaged in the next release of AD/TXK with the newer version of the log4j library that does not have the vulnerability, is quite simple. The instructions are to delete the vulnerable JndiLookup.class from the archive log4j_core.jar in which it was deployed.f

This file exists in two places: $COMMON_TOP for runtime use, and $FND_TOP, the patched staging version copied to $COMMON_TOP.

Please remember you need to fix both your Run and Patch filesystems, so you can run the fix once for each.

This is a scripted re-packaging of the steps outlined in the above MOS Doc ID 2827804.1 – modify to suit your particular installation and platform:

!/bin/ksh

Fix log4j vulnerability in AD/TXK.Delta.12/13

echo "\n Fix log4j vulnerability in AD/TXK.Delta.12/13 \n"
echo "CVE-2021-44228 Advisory for Oracle E-Business Suite (Apache log4j Vulnerabilities) (Doc ID 2827804.1) \n"
export jars="$FND_TOP/java/3rdparty/stdalone/log4j_core.jar $COMMON_TOP/java/lib/log4j_core.jar"
echo "\nCurrent copies of log4j_core.jar:\n"
for jar in $jars ;do ls -l $jar ;done
echo "\nBackup the existing log4j_core.jar in FND_TOP\n"
mv $FND_TOP/java/3rdparty/stdalone/log4j_core.jar $FND_TOP/java/3rdparty/stdalone/log4j_core.jar.bak
cp $FND_TOP/java/3rdparty/stdalone/log4j_core.jar.bak $FND_TOP/java/3rdparty/stdalone/log4j_core.jar
echo "\nDeleting JndiLookup.class from Jar archives\n"
for jar in $jars ;do zip -d $jar org/apache/logging/log4j/core/lookup/JndiLookup.class ;done
echo "\nVerify that size is smaller and dates are newer\n"
for jar in $jars ;do ls -l $jar ;done
echo "\nVerify that JndiLookup.class is no longer found in jars (0 files) :\n"
for jar in $jars ;do unzip -l -q $jar org/apache/logging/log4j/core/lookup/JndiLookup.class ;done
echo "\nNow bounce the MT services - adstpall.sh adstrtal.sh "
cd $ADMIN_SCRIPTS_HOME

For those with WebLogic based apps (Primavera, SOA Suite, etc.) this is the applicable MOS Doc for those:
Security Alert CVE-2021-44228 / CVE-2021-45046 Patch Availability Document for Oracle Fusion Middleware (Doc ID 2827793.1)

Evaluation of Log4j Use

  • The system classpath (CLASSPATH) is displayed during WebLogic Server startup by the startWebLogic script. It is also viewable in the DOMAIN_HOME/servers/[servername]/logs/[servername].out file.
  • Review the following to determine the impact and considerations for all Oracle products, which may be using these or different Log4j jar files:

    Doc ID 2827611.1 Apache Log4j Security Alert CVE-2021-44228 Products and Versions

WebLogic Server Installed Log4j Files

Apache Log4j version 2 is not used in default Oracle WebLogic Server installations or configurations. However, the Oracle WebLogic Server home contains vulnerable Log4j version 2 jars.

The version 2 jar files are in the ORACLE_HOME/oracle_common/modules/thirdparty directory for each version are:

12.2.1.3.0: log4j-1.2.17.jar
12.2.1.4.0: log4j-2.11.1.jar
14.1.1.0.0: log4j-core-2.11.1.jar and log4j-api-2.11.0.jar

Patch Availability for Oracle WebLogic Server and Oracle Fusion Middleware 

The patching requirements from addressing CVE-2021-44228 and CVE-2021-45046 are listed below with patch links for all versions under error correction support.

The patch has a prerequisite of the WebLogic Server PSU for Oct 2021:

WLS ReleaseRequired Patches
(Apply the WLS PSU and then the CVE Overlay)
14.1.1.0.0 WLS PATCH SET UPDATE 14.1.1.0.210930 (Patch 33416881)
    + WLS OVERLAY PATCH FOR 14.1.1.0.0 OCT 2021 PSU (Patch 33671996) for CVE-2021-44228,CVE-2021-45046
12.2.1.4.0 WLS PATCH SET UPDATE 12.2.1.4.210930 (Patch 33416868)
    WLS OVERLAY PATCH FOR 12.2.1.4.0 OCT 2021 PSU (Patch 33671996) for CVE-2021-44228,CVE-2021-45046
12.2.1.3.0 WLS PATCH SET UPDATE 12.2.1.3.210929 (Patch 33412599)
    + WLS OVERLAY PATCH FOR 12.2.1.3.0 OCT 2021 PSU (Patch 33671996) for CVE-2021-44228,CVE-2021-45046
Advertisement

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.