Forum Stats

  • 3,816,083 Users
  • 2,259,137 Discussions
  • 7,893,389 Comments

Discussions

log4j-core.jar and log4j-api.jar in SQL_Developer 20.4.1 - what does it do ?

Bernhard FW
Bernhard FW Member Posts: 168 Red Ribbon
edited Dec 13, 2021 10:53PM in SQL Developer

I am a bit concerned about LOG4J and a misuse causing vulnerability to our systems.

I detected quite some jar.files on my system - pls see screenshot

what are these LOG4J doing ? just looking for updates ?

Can these be used to hitchhike my system ?

thanks

source:

https://techmonitor.ai/technology/cybersecurity/log4j-vulnerability-cyber-crime

Best Answers

«1

Answers

  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 8,513 Employee

    Go download 21.4, it has up-to-date copy of this library, and does not suffer the recent CVE announced over this past weekend.

    Bernhard FWKayK
  • Bernhard FW
    Bernhard FW Member Posts: 168 Red Ribbon
    Answer ✓
  • User_CXTXO
    User_CXTXO Member Posts: 1 Green Ribbon

    @thatJeffSmith-Oracle

    I just downloaded 21.4.1.349.1822 version and i see that also has log4j components wont it affect


  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 8,513 Employee
  • zoltix
    zoltix Member Posts: 13 Blue Ribbon

    Hello,

    sqldeveloper Version 21.4.3.063

    I have the same problem as you, the detection system (cyberwatch) has detected this problem. But I don't know how to fix it.  

    ps : I have checked manually and it is correct

  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 8,513 Employee

    There's no problem, these versions don't suffer from any open CVE.

  • zoltix
    zoltix Member Posts: 13 Blue Ribbon

    Hi,

    The cyber security tool scans our computers with this script and it/I can find the file C:\oracle\product\19.0.0\client_1\sqldeveloper\sqldeveloper\lib\log4j-1.2-api.jar.

    on several desktops where sqldeveloper is installed. This may be a false positive but the file is present and according to the cve. It's this file that has the problem. It may not be exploitable in the sqldeveloper.  For us, it's an issue,

    But I have to justify to the cybersecurity team why this file is not an issue within the Oracle scope. And I haven't seen any clear documentation on the Oracle site about this. Maybe I should call Oracle support. ?


    Thanks

    # Browse the disk for log4j jar files and fetch their versions

    foreach ($drive in Get-PSDrive -PSProvider FileSystem) {

     "# Browsing $($drive.Root)"

     foreach ($jar in Get-ChildItem -Path $drive.Root -File -ErrorAction SilentlyContinue -Force -Recurse -Filter '*log4j*.jar') {

      if ($jar.Name -match '\d[\d.]*\d') {

       "# $($jar.FullName)"

       "NVD_APPLICATION:cpe:2.3:a:apache:log4j:$($Matches.0):*:*:*:*:*:*:*"

      }

     }

     ""

    }

    # PowerShell does not execute the final block if the script ends with a closing brace, so here's a comment.

  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 8,513 Employee

    We're talking about version 21.4.3 - not whatever you have in an Oracle Client. We've not shipped SQL Developer with the database home or client in several years.

    While there is a SQL Developer folder in those newer homes, if you look inside of them, it's actually SQLcl, which does not have log4j jars of any version.

  • zoltix
    zoltix Member Posts: 13 Blue Ribbon
    edited May 3, 2022 1:07PM

    I have just downloaded the latest version, I have explored the archive with peazip and I can confirm that I can find the file.



    ps: SQL Developer folder in those newer homes, I kept the old tree structure of the oracle installation, . 

  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 8,513 Employee

    the actual log4j in there is 2.17.x, the highlighted jar you have in your screenshot isn't related

    we're still shipping log4j, it's just a version that's no longer susceptible to the published CVEs