Database Install/Upgrade/Opatch (MOSC)

MOSC Banner

Why are old log4j files still included in Oracle Database?

in Database Install/Upgrade/Opatch (MOSC) 2 commentsAnswered ✓

Windows 2016/2019/2022 and RHEL 7, 8.

Oracle Database 19c with patches 19.16, 19.17, 19.18


I download database 19c from Oracle.com. I patch it to the latest patch (any of the above), and log4j is still a vulnerable version in some folders within the installation.

I think i've read that Oracle states that Oracles Database product is not vulnerable. Any perhaps it isn't, but our scanning tools, and our customer scanning tolls are still reacting to these old versions (specifically in the TFA directory in the Oracle home), and we are trying to motivate getting these flagged as false positives. However, oracle could just solve everybodys problems with just updating those files to newer, not vulnerable versions. Why don't they?

Howdy, Stranger!

Log In

To view full details, sign in to My Oracle Support Community.

Register

Don't have a My Oracle Support Community account? Click here to get started.

Category Leaderboard

Top contributors this month

Instructions for posting

×

1. Select a discussion category from the picklist.


2. Enter a title that clearly identifies the subject of your question.


3. In the body, insert detailed information, including Oracle product and version.


Please abide by the Oracle Community guidelines and refrain from posting any customer or personally identifiable information (PI/CI).


Cloud / Fusion customers - Our Cloud community has moved! Please go to Cloud Customer Connect .


New to My Oracle Support Community? Visit our Welcome Center

MOSC Help Center