Forum Stats

  • 3,827,073 Users
  • 2,260,739 Discussions
  • 7,897,157 Comments

Discussions

Log4J and other CPU patches for fusion middleware 12.2.1.3

sai4u4ever
sai4u4ever Member Posts: 4 Green Ribbon

Hi Team,

I am using Oracle fusion middleware version 12.2.1.3 . During Qualys security scan our server got vulnerable to log4j. we don't have idea if we are using log4j or not.

Could you please provide suggestion:

1)Is there any way to remove log4j vulnerability without patching?


2)If patching required, what will be the patches need to be apply (we did not apply any cpu released patches yet )


Need patch no. to apply other fixes as well, It would be great if we got exact sequence of patch no. to apply(log4j and other latest cpu releases ). 

-------------------------------------------------------------------

Please find below already installed patches

Interim patches (24) :

Patch 33267535 : applied on Thu Sep 02 16:47:30 SGT 2021

Patch description: "One-off"

Patch 31961038 : applied on Thu Nov 12 17:17:11 SGT 2020

Patch description: "WLS PATCH SET UPDATE 12.2.1.3.201001"

Patch 29321695 : applied on Thu Jul 18 16:48:20 SGT 2019

Patch description: "OSS BUNDLE PATCH 12.2.1.3.190716"

Patch 29194049 : applied on Thu Jul 18 16:43:32 SGT 2019

Patch 29794278 : applied on Thu Jul 18 16:39:43 SGT 2019

Patch description: "OHS (NATIVE) BUNDLE PATCH 12.2.1.3.190517(ID:12.2.1.3.0BP)"

Patch 29909359 : applied on Thu Jul 18 16:22:32 SGT 2019

Patch 29137924 : applied on Thu Jul 18 16:17:28 SGT 2019

Patch 29650702 : applied on Thu Apr 18 18:46:30 SGT 2019

Patch 28314870 : applied on Mon Sep 24 17:59:25 SGT 2018

Patch 27323998 : applied on Fri Sep 21 22:55:51 SGT 2018

Patch 26248143 : applied on Thu Jul 05 20:21:24 SGT 2018

Patch 25549931 : applied on Thu Jul 05 20:20:03 SGT 2018

Patch 24737021 : applied on Thu Jul 05 20:18:51 SGT 2018

Patch 22754279 : applied on Thu Jul 05 20:17:45 SGT 2018

Patch 21663638 : applied on Thu Jul 05 20:16:36 SGT 2018

Patch 19795066 : applied on Thu Jul 05 20:15:12 SGT 2018

Patch 19632480 : applied on Thu Jul 05 20:14:15 SGT 2018

Patch 19154304 : applied on Thu Jul 05 20:13:22 SGT 2018

Patch 19030178 : applied on Thu Jul 05 20:12:28 SGT 2018

Patch 24732082 : applied on Thu Jul 05 20:11:36 SGT 2018

Patch 26355633 : applied on Thu Jul 05 20:03:23 SGT 2018

Patch 26287183 : applied on Thu Jul 05 20:03:04 SGT 2018

Patch 26261906 : applied on Thu Jul 05 20:02:33 SGT 2018

Patch 26051289 : applied on Thu Jul 05 20:02:21 SGT 2018

--------------------------------------------------------------------------------

Also, below log4J files are present in my server.

/WebBase/Software/29814665/files/oracle.wls.libraries/12.2.1.3.0/wls.common.symbol/modules/com.bea.core.apache.log4j.jar

/WebBase/user_projects/domains/Dname/servers/AdminServer/tmp/_WL_user/log4j_jar

/WebBase/M12213/wlserver/server/lib/consoleapp/APP-INF/lib/log4j-1.2.17-16.jar

/WebBase/M12213/wlserver/server/lib/consoleapp/APP-INF/lib/log4j-1.2.17.jar

/WebBase/M12213/wlserver/server/lib/consoleapp/consolehelp/WEB-INF/classes/log4j.properties

/WebBase/M12213/wlserver/server/lib/wllog4j.jar

/WebBase/M12213/wlserver/plugins/maven/com/oracle/weblogic/wllog4j

/WebBase/M12213/inventory/featuresets/resources/modules/thirdPartyMain_log4jLog4j_1.2.17.0.0.jar

/WebBase/M12213/inventory/featuresets/resources/modules/thirdParty_log4jLog4j_1.2.17.0.0.jar

/WebBase/M12213/sqldeveloper/sqldeveloper/lib/log4j-1.2.13.jar

/WebBase/M12213/oracle_common/plugins/maven/com/oracle/fmwshare/ojdl-log4j/12.2.1/ojdl-log4j-12.2.1.pom

/WebBase/M12213/oracle_common/modules/com.bea.core.apache.log4j.jar

/WebBase/M12213/oracle_common/modules/oracle.odl/ojdl-log4j.jar

/WebBase/M12213/oracle_common/modules/thirdparty/features/log4j.jar

/WebBase/M12213/oracle_common/modules/thirdparty/features/log4j_1.2.17.0.0.jar

/WebBase/M12213/oracle_common/modules/thirdparty/log4j-1.2.17.jar

Answers

  • Michael Ferrante-Oracle
    Michael Ferrante-Oracle Senior Principal Product Manager USMember Posts: 7,203 Employee
    edited Mar 16, 2022 4:16PM

    First, it is important to note that 12.2.1.3 is approaching its end of eligibility for error correction. I strongly recommend you begin moving to 12.2.1.4.

    Second, attempting to alter the product installation (e.g. removing something that is included in the install) is rarely a good idea.

    In general, you need to install the latest CPU patches for all/any Oracle products where you have security concerns. Doing this should be a regularly scheduled practice and not something you only do when someone tells you about the latest possible vulnerability.

    Details about Oracle CPU can be found here:

    https://www.oracle.com/security-alerts


    Michael Ferrante

    Senior Principal Product Manager

    Oracle

    Twitter: @OracleFormsPM