Oracle has just released Security Alert CVE-2021-44228 in response of a new vulnerability affecting Apache Log4j. This Log4j vulnerability affects a number of Oracle products making use of this vulnerable component. This vulnerability has received a CVSS Base Score of 10.0 from the Apache Software Foundation. Oracle Customers should refer to MOS Article: “Apache Log4j Security Alert CVE-2021-44228”
Oracle team strongly recommended to apply the fix pack to update the log4j jars .
Additionally, the Oracle Cloud operations and security teams are evaluating this Security Alert as well as all relevant third-party fixes as they become available. They will apply the relevant patches in accordance with applicable change management processes.
Due to the severity of this vulnerability, it is strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
For more information: Security Alert CVE-2021-44228 is published at https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
Information about this vulnerability published on the National Vulnerability Database is located at https://nvd.nist.gov/vuln/detail/CVE-2021-44228.
Information about this vulnerability from the Apache Software Foundation is published at https://logging.apache.org/log4j/2.x/security.html
Information about this vulnerability published on the National Vulnerability Database is located at https://nvd.nist.gov/vuln/detail/CVE-2021-44228.
Some of the oracle applicable components
Oracle Fusion Middleware – Version 12.2.1.3.0 to 12.2.1.4.0 [Release 12c]
Oracle WebLogic Server – Version 12.2.1.3.0 to 14.1.1.0.0 [Release 12c]
- Applies to any product installed with the FMW Infrastructure with WebLogic Server
- Applies to OHS, OID, and OUD standalone homes where Log4j files are installed
This document provides patches and mitigation steps to alleviate the impact associated with CVE-2021-44228 and CVE-2021-45046 on Oracle Fusion Middleware products.
Refer to Apache Log4j (version 2) vulnerability described in Security Alert CVE-2021-44228 for more details.
This document applies to Oracle WebLogic Server 14.1.1, 12.2.1.4, and 12.2.1.3; and Oracle Fusion Middleware 12.2.1.4 and 12.2.1.3 products installed with the FMW Infrastructure.
In earlier versions, (12.1.x, 11.1.x, 10.3.x) the Apache Log4j library included was version 1, which is not reported as having these vulnerabilities.
Mitigation Plan
If patching is not possible at this time, you may mitigate the Log4j vulnerabilities with the below steps.
This mitigation applies to Log4j v2 prior to 2.16.0, including 2.15.
- Navigate to the location:
ORACLE_HOME/oracle_common/modules/thirdparty/
- Run the below command:
zip -q -d log4j*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
A server restart is required if the Log4j jars are in use, (if included in the system CLASSPATH).
WebLogic Server Installed Log4j Files
Apache Log4j version 2 is not used in default Oracle WebLogic Server installations or configurations. However, the Oracle WebLogic Server and Fusion Middleware homes contain vulnerable Log4j version 2 jars.
For each version below, the common Log4j version 2 jar files are in the ORACLE_HOME/oracle_common/modules/thirdparty directory:
12.2.1.3.0: log4j-1.2.17.jar (version 2)
12.2.1.4.0: log4j-2.11.1.jar
14.1.1.0.0: log4j-core-2.11.1.jar and log4j-api-2.11.0.jar
Notes:
The jar names do not always reflect the actual version or content. Other jars with version 2 filenames such as those in the oracle_common/modules/thirdparty/features subdirectory do not need to be upgraded as they contain only Manifest files.
These Log4j version 2 jars are not included in the WebLogic Server system CLASSPATH and therefore are not available for use by applications or layered products. But, it is possible for a customer or layered product to modify the system CLASSPATH and use this vulnerable library within Oracle WebLogic Server.
The system CLASSPATH is displayed during WebLogic Server startup by the startWebLogic script. It is also viewable in the DOMAIN_HOME/servers/[servername]/logs/[servername].out file.
Oracle WebLogic Server has provided a patch to upgrade the Log4j version 2 jars for environments where these Apache Log4j version 2 jars are installed and may be in use.
The Recommendation: Apply the Oracle WebLogic Server patch to upgrade the Apache Log4j version 2 libraries.
Patch Availability for Oracle WebLogic Server and Oracle Fusion Middleware
The patching requirements from addressing CVE-2021-44228 and CVE-2021-45046 are listed below with patch links for all versions under error correction support.
The patch has a prerequisite of the WebLogic Server PSU for October 2021:
WLS Release Required Patches (Apply the WLS PSU and then the CVE Overlay)
14.1.1.0.0WLS PATCH SET UPDATE 14.1.1.0.210930 (Patch 33416881)
+ WLS OVERLAY PATCH FOR 14.1.1.0.0 OCT 2021 PSU (Patch 33671996) for CVE-2021-44228,CVE-2021-45046
12.2.1.4.0 WLS PATCH SET UPDATE 12.2.1.4.210930 (Patch 33416868)
+ WLS OVERLAY PATCH FOR 12.2.1.4.0 OCT 2021 PSU (Patch 33671996) for CVE-2021-44228,CVE-2021-45046
12.2.1.3.0 WLS PATCH SET UPDATE 12.2.1.3.210929 (Patch 33412599)
+ WLS OVERLAY PATCH FOR 12.2.1.3.0 OCT 2021 PSU (Patch 33671996) for CVE-2021-44228,CVE-2021-45046