Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 14 Oracle Analytics Lounge
- 211 Oracle Analytics News
- 41 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 77 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
$ORACLE_HOME/oracle_common/modules/thirdparty/log4j-2.11.1.jar
We are always getting flagged on this file during Nessus security scan for Plugin Id 155999. After working on SR it was advised by oracle to create Enhancement request so that the name of the log4j reflects its real version which is 2.17.1
The version of Apache Log4j on the remote host is 2.x < 2.3.1 / 2.4 < 2.12.2 / 2.13 < 2.15.0. It is, therefore, affected by a remote code execution vulnerability in the JDNI parser due to improper log validation. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.
Log4j 1.x, which reached its End of Life prior to 2016, comes with JMSAppender which will perform a JNDI lookup if enabled in Log4j's configuration file, hence customers should evaluate triggers in 1.x based on the risk that it is EOL and whether JNDI lookups are enabled.
Comments
-
This is for OAS 2024 application.
1