CVE-2021-44228 Advisory for Oracle E-Business Suite (Apache log4j Vulnerabilities) (Doc ID 2827804.1)
Applicability: Those who have either upgraded their 12.2 AD/TXK to either Delta.12/13 generally in preparation toward compatibility with 19c database upgrades, or have continuous patching policy promoting that component upgrade.
Prior AD/TXK releases did not employ the JNDI supporting log4j code.
The existing work-around fix, which later will be packaged in the next release of AD/TXK with the newer version of the log4j library that does not have the vulnerability, is quite simple. The instructions are to delete the vulnerable JndiLookup.class from the archive log4j_core.jar in which it was deployed.f
This file exists in two places: $COMMON_TOP for runtime use, and $FND_TOP, the patched staging version copied to $COMMON_TOP.
Please remember you need to fix both your Run and Patch filesystems, so you can run the fix once for each.
This is a scripted re-packaging of the steps outlined in the above MOS Doc ID 2827804.1 – modify to suit your particular installation and platform:
Fix log4j vulnerability in AD/TXK.Delta.12/13
echo "\n Fix log4j vulnerability in AD/TXK.Delta.12/13 \n"
echo "CVE-2021-44228 Advisory for Oracle E-Business Suite (Apache log4j Vulnerabilities) (Doc ID 2827804.1) \n"
export jars="$FND_TOP/java/3rdparty/stdalone/log4j_core.jar $COMMON_TOP/java/lib/log4j_core.jar"
echo "\nCurrent copies of log4j_core.jar:\n"
for jar in $jars ;do ls -l $jar ;done
echo "\nBackup the existing log4j_core.jar in FND_TOP\n"
mv $FND_TOP/java/3rdparty/stdalone/log4j_core.jar $FND_TOP/java/3rdparty/stdalone/log4j_core.jar.bak
cp $FND_TOP/java/3rdparty/stdalone/log4j_core.jar.bak $FND_TOP/java/3rdparty/stdalone/log4j_core.jar
echo "\nDeleting JndiLookup.class from Jar archives\n"
for jar in $jars ;do zip -d $jar org/apache/logging/log4j/core/lookup/JndiLookup.class ;done
echo "\nVerify that size is smaller and dates are newer\n"
for jar in $jars ;do ls -l $jar ;done
echo "\nVerify that JndiLookup.class is no longer found in jars (0 files) :\n"
for jar in $jars ;do unzip -l -q $jar org/apache/logging/log4j/core/lookup/JndiLookup.class ;done
echo "\nNow bounce the MT services - adstpall.sh adstrtal.sh "
For those with WebLogic based apps (Primavera, SOA Suite, etc.) this is the applicable MOS Doc for those:
Security Alert CVE-2021-44228 / CVE-2021-45046 Patch Availability Document for Oracle Fusion Middleware (Doc ID 2827793.1)
Evaluation of Log4j Use
- The system classpath (CLASSPATH) is displayed during WebLogic Server startup by the startWebLogic script. It is also viewable in the DOMAIN_HOME/servers/[servername]/logs/[servername].out file.
- Review the following to determine the impact and considerations for all Oracle products, which may be using these or different Log4j jar files:
Doc ID 2827611.1 Apache Log4j Security Alert CVE-2021-44228 Products and Versions
WebLogic Server Installed Log4j Files
Apache Log4j version 2 is not used in default Oracle WebLogic Server installations or configurations. However, the Oracle WebLogic Server home contains vulnerable Log4j version 2 jars.
The version 2 jar files are in the ORACLE_HOME/oracle_common/modules/thirdparty directory for each version are:
188.8.131.52.0: log4j-core-2.11.1.jar and log4j-api-2.11.0.jar
Patch Availability for Oracle WebLogic Server and Oracle Fusion Middleware
The patching requirements from addressing CVE-2021-44228 and CVE-2021-45046 are listed below with patch links for all versions under error correction support.
The patch has a prerequisite of the WebLogic Server PSU for Oct 2021:
|WLS Release||Required Patches|
(Apply the WLS PSU and then the CVE Overlay)
|184.108.40.206.0|| WLS PATCH SET UPDATE 220.127.116.11.210930 (Patch 33416881)|
+ WLS OVERLAY PATCH FOR 18.104.22.168.0 OCT 2021 PSU (Patch 33671996) for CVE-2021-44228,CVE-2021-45046
|22.214.171.124.0|| WLS PATCH SET UPDATE 126.96.36.199.210930 (Patch 33416868)|
+ WLS OVERLAY PATCH FOR 188.8.131.52.0 OCT 2021 PSU (Patch 33671996) for CVE-2021-44228,CVE-2021-45046
|184.108.40.206.0|| WLS PATCH SET UPDATE 220.127.116.11.210929 (Patch 33412599)|
+ WLS OVERLAY PATCH FOR 18.104.22.168.0 OCT 2021 PSU (Patch 33671996) for CVE-2021-44228,CVE-2021-45046