Oracle Communities

Oracle Analytics and AI

Child Item

question for how to patch/update log4j for OAS 2023

I applied the latest stack patch bundle for OAS which I understand is supposed to patch all the components like FMW, Weblogic, etc. However the log4j files in the oracle_common\modules\thirdparty directory are still being flagged by security scans for being an older version

"Installed version : 2.11.1
Fixed version : 2.12.2"

Does this need to be patched seperately even though I applied the latest stack patch?

I was going to just delete the log4j file, but it says the file is in use so I didn't want to break OAS.

Thanks,
Josh

Find more posts tagged with

Accepted answers

Steve F-2

Hi Josh,

Welcome to the Oracle Analytics community and thank you for your question!

Filenames may not change; however, the CVE is mitigated if you applied the required patches.

You may review the file manifest with the following command example:

unzip -p /your_path/log4j-1.2.17.jar META-INF/MANIFEST.MF
You may review if the vulnerable class file is present with the following command example:

/usr/java/latest/bin/jar -tvf /your_path/log4j-1.2.17.jar | grep -i "JndiLookup.class"

Once you have confirmed, you can add an exception to your scanner.

Steve F-2

Josh,

For Windows, you can extract the manifest with the the following command:

path_to_your_jdk\bin\jar xf path_to_[oracle_home]\oracle_common\modules\thirdparty\log4j-2.11.1.jar META-INF/MANIFEST.MF

or WinRAR utility.

Then, you can open it with:

edit META-INF/MANIFEST.MF

or your favorite notepad editor.

3158 Mon Jan 10 06:17:44 EST 2022 org/apache/logging/log4j/core/lookup/JndiLookup.class
Does that there is a vulnerability present?

No

Let's see this output:



opatch lspatches

Let's see what the manifest states. These issues were all remedied / mitigated years ago.

Steve F-2

You're right, looks like the filename is just old then?

Yes, the older file names had to be kept for interoperability, but the CVE is mitigated.

Steve F-2

I do not believe these are referenced in the Weblogic classpath of the AdminServer or the Managed server (bi_server1); therefore, you could test rename.

Beware: I do not know the consequences of future patching issues, if the file is renamed.
You would need to review and test on a scratch/non-production system.

These Log4j version 2 jars are not included in the WebLogic Server system CLASSPATH and therefore are not available for use by applications or layered products. But, it is possible for a customer or layered product to modify the system CLASSPATH and use this library within Oracle WebLogic Server (i.e. - custom application).
The system CLASSPATH is displayed during WebLogic Server startup by the startWebLogic script. It is also viewable in the DOMAIN_HOME/servers/[servername]/logs/[servername].out file.

A final note: OAS 2023 is out of error correction support, plan to update to OAS 2025 so that you have support for any potential issues.

All comments

Steve F-2

Hi Josh,

Welcome to the Oracle Analytics community and thank you for your question!

Filenames may not change; however, the CVE is mitigated if you applied the required patches.

You may review the file manifest with the following command example:

unzip -p /your_path/log4j-1.2.17.jar META-INF/MANIFEST.MF
You may review if the vulnerable class file is present with the following command example:

/usr/java/latest/bin/jar -tvf /your_path/log4j-1.2.17.jar | grep -i "JndiLookup.class"

Once you have confirmed, you can add an exception to your scanner.

User_A81NX

Thanks for the fast response, I appreciate it!

This is installed on windows server, but I tried the 2nd cmd you provided without grep and searched the output manually for JndiLookup this shows up:

3158 Mon Jan 10 06:17:44 EST 2022 org/apache/logging/log4j/core/lookup/JndiLookup.class

Does that there is a vulnerability present?

Steve F-2

Josh,

For Windows, you can extract the manifest with the the following command:

path_to_your_jdk\bin\jar xf path_to_[oracle_home]\oracle_common\modules\thirdparty\log4j-2.11.1.jar META-INF/MANIFEST.MF

or WinRAR utility.

Then, you can open it with:

edit META-INF/MANIFEST.MF

or your favorite notepad editor.

3158 Mon Jan 10 06:17:44 EST 2022 org/apache/logging/log4j/core/lookup/JndiLookup.class
Does that there is a vulnerability present?

No

Let's see this output:



opatch lspatches

Let's see what the manifest states. These issues were all remedied / mitigated years ago.

User_A81NX

You're right, looks like the filename is just old then?

Here is the manifest:

Manifest-Version: 1.0
Bundle-Description: The Apache Log4j Implementation
Implementation-Title: Apache Log4j
Bundle-SymbolicName: org.apache.logging.log4j
Implementation-Version: 2.17.1
Archiver-Version: Plexus Archiver
Built-By: Oracle
Specification-Vendor: The Apache Software Foundation
Specification-Title: Apache Log4j
Bundle-Vendor: The Apache Software Foundation
Implementation-Vendor: The Apache Software Foundation
Bundle-Version: 2.17.1
Created-By: Apache Maven 3.6.0
Build-Jdk: 1.8.0_221

Here is lspatches:

opatch lspatches
37476817;OAS STACK PATCH BUNDLE 7.0.0.0.250114 (Patch 37476722)
37453807;WLS PATCH SET UPDATE 12.2.1.4.250107
37434763;OAS BUNDLE PATCH 7.0.0.0.241230
37388935;ADF BUNDLE PATCH 12.2.1.4.241212
37374672;FMW Thirdparty Bundle Patch 12.2.1.4.241210
37297691;OSS 19C BUNDLE PATCH 12.2.1.4.241119
37284722;WebCenter Core Bundle Patch 12.2.1.4.241114
37258699;JDBC19.25 BUNDLE PATCH 12.2.1.4.241107
37202255;RDA release 25.1-2025121 for OFM 12.2.1.4 SPB
37202254;DATABASE RELEASE UPDATE 19.25.0.0.0 FOR FMW DBCLIENT
1221424;Coherence Cumulative Patch 12.2.1.4.24
37056593;One-off
37035947;OWSM BUNDLE PATCH 12.2.1.4.240908
36789759;FMW PLATFORM BUNDLE PATCH 12.2.1.4.240812
36649916;One-off
36316422;OPSS Bundle Patch 12.2.1.4.240220
36178550;WLS STACK PATCH BUNDLE 12.2.1.4.240111 (Patch 36178496)
35965629;ADR FOR WEBLOGIC SERVER 12.2.1.4.0 CPU JAN 2024
34809489;One-off
34542329;One-off
35065206;One-off
31032676;One-off

Steve F-2

You're right, looks like the filename is just old then?

Yes, the older file names had to be kept for interoperability, but the CVE is mitigated.

User_A81NX

Hey, so I provided the manifest output to our security team showing the file is updated, but they want to know if it's possible to rename log4j file so it is not flagged by the scanner… Do you know if that is possible, or will it break OAS?

Steve F-2

These Log4j version 2 jars are not included in the WebLogic Server system CLASSPATH and therefore are not available for use by applications or layered products. But, it is possible for a customer or layered product to modify the system CLASSPATH and use this library within Oracle WebLogic Server (i.e. - custom application).
The system CLASSPATH is displayed during WebLogic Server startup by the startWebLogic script. It is also viewable in the DOMAIN_HOME/servers/[servername]/logs/[servername].out file.

A final note: OAS 2023 is out of error correction support, plan to update to OAS 2025 so that you have support for any potential issues.

User_A81NX

Thanks again for your help! I am in process of building a new OAS 2025 to migrate to, but have been running into various issues configuring it ha!

Steve F-2

J,
Sorry to hear you are encountering issues. If you are unable to resolve them via the knowledge base, then please do open an Service Request.