Forum Stats

  • 3,783,687 Users
  • 2,254,820 Discussions
  • 7,880,516 Comments

Discussions

Enterprise Manager vulnerable to CVE-2021-44228 Log4J

raphi
raphi Member Posts: 12 Blue Ribbon
edited Dec 14, 2021 8:27AM in Enterprise Manager

Hi,

according to Doc ID 2827611.1, OEM is vulnerable but there are no patches yet:

2.0 Oracle products with patches pending

Oracle has determined that the following Oracle products are vulnerable and do not currently have patches available for CVE-2021-44228:

  • Oracle Enterprise Manager [Product ID 1370]

Does anyone know which part of OEM is vulnerable or has some more details in general?

Thanks,

raphi

User_86J64

Answers

  • User_ID4IT
    User_ID4IT Member Posts: 2 Employee

    You can refer to

    Security Alert For CVE-2021-44228 & CVE-2021-45046 Patch Availability Document for Oracle Enterprise Manager Cloud Control (Doc ID 2828296.1)

  • VijayK
    VijayK Member Posts: 3 Red Ribbon

    After checking the document, it does say "Patch available". But no patch number in any document...Any guidance is appreciated.

  • raphi
    raphi Member Posts: 12 Blue Ribbon

    Thanks @User_ID4IT , when I started this topic there was no info regarding OEM other than it might be vulnerable. Now it's more clear.

    @VijayK There are only mitigation steps as of now. For 13.4 this means deleting unused jar files in the DB Home plugin, for 13.5 there are a few more steps to do.

  • Easyteam
    Easyteam Member Posts: 8 Blue Ribbon

    Hello


    it seams that Oracle has released a patch 33672721  in place of the mitigation steps to deal with the vulnerabity on OEM last saturday 2021/12/18.


    Regards.

  • JonMcAlexander
    JonMcAlexander Member Posts: 2 Blue Ribbon

    Question.

    Are the WebLogic Server Web Server Plugins affected by the log4j vulnerabilities?

    Thank you,

    [email protected]

  • VijayK
    VijayK Member Posts: 3 Red Ribbon

    @Easyteam The patch which you referred did not pass the analysis. Did you try to apply in OEM 13.4 environment? Please advise. Thanks.

  • VijayK
    VijayK Member Posts: 3 Red Ribbon

    The following document is updated with patch details -

    Security Alert For CVE-2021-44228,CVE-2021-45046 & CVE-2021-45105 Patch Availability Document for Oracle Enterprise Manager Cloud Control (Doc ID 2828296.1)

  • Eric Yu
    Eric Yu Member Posts: 2 Green Ribbon

    As far as I know, CVE-2021-44228, also called Log4Shell or LogJam, is a remote code execution (RCE) vulnerability. If an attacker manages to exploit it on one of the servers, they will gain the ability to execute arbitrary code and possibly take complete control of the system.

    CVE-2021-44228 is particularly dangerous in that it is easy to be exploited: even inexperienced hackers can use this vulnerability to successfully execute attacks. According to the researchers, the attackers only need to force the application to write only a string to the log, and then due to the message search and replace function, they can upload their code to the application.

    Perhaps a backup software can help. I am currently trying out Vinchin backup and recovery software, and it may be useful in the future.