Forum Stats

  • 3,824,920 Users
  • 2,260,440 Discussions
  • 7,896,347 Comments

Discussions

Any update for Log4j 2.17 version release, when this is going to published

Krishna_Reddy
Krishna_Reddy Member Posts: 2 Red Ribbon
edited Jan 4, 2022 5:56PM in SQL Developer

Do we have any latest update on the release a new version of SQL Developer with Log4j 2.17 library

Tagged:
«1

Answers

  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 8,571 Employee

    Although it's not an issue for SQL Developer, we plan on updating it anyway, maybe as soon as next week. But we don't publish release dates, so don't take me to court on that.


    It's on the sooner vs later delivery train.

  • Krishna_Reddy
    Krishna_Reddy Member Posts: 2 Red Ribbon

    Thanks, Smith for the quick response, Could you please confirm if we update the latest Oracle SQL developer 21.4.1.349 and replace library file from the below location then there is no impact on application functionality. Is this the recommended solution or do we have to wait till the release of latest version?

    Log4j – Download Apache Log4j 2

    C:\Program Files\SQL Developer\sqldeveloper\lib\log4j-1.2-api.jar

    C:\Program Files\SQL Developer\sqldeveloper\lib\log4j-api.jar

    C:\Program Files\SQL Developer\sqldeveloper\lib\log4j-core.jar

  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 8,571 Employee

    There's no issue with the log4j we're shipping with SQL Developer in 21.4.1. If you're ultra-paranoid and want to swap out 2.16 for 2.17, feel free, but I'd test it first.

  • User_QRKN0
    User_QRKN0 Member Posts: 7 Green Ribbon

    I work for the government, USACE, and our computers are being flagged by army vulnerability scans because the log4j-core.jar is not 2.17 or later.

    NOTE: It makes no difference if you "say" there is no vulnerability. This is producing a problem on a number of our servers and computers even though this is client-side software.

    v/r,

    James

  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 8,571 Employee

    We've had two updates since 21.4.1.

    Please ensure you have 21.4.3. If you're still getting files flagged, please open a Service Request with My Oracle Support.

  • User_QRKN0
    User_QRKN0 Member Posts: 7 Green Ribbon
    edited May 26, 2022 6:08PM

    I have installed 21.4.3. Is there any chance 21.4.3 does not have the updated .jar files but 21.4.2 (as the notes say) does? What is the easiest way to determine what version the .jar files are, whether they are 2.17 or not?

    v/r,

    James

  • User_QRKN0
    User_QRKN0 Member Posts: 7 Green Ribbon

    Answering my own question, if I open the .jar file with an unzipping program like 7-Zip and then drill down into META_INF folder and edit the MANIFEST.MF file with Notepad I can see the version numbers all over and 21.4.2 as well as 21.4.3 has 2.17.1 version number.

    v/r,

    James

  • User_QRKN0
    User_QRKN0 Member Posts: 7 Green Ribbon

    Jeff,

    I found some further information.

    The log4j-core.jar file reveals that BOTH 2.12 and 2.17 are included. The 2.12 is throwing the flag for the government scans. SQLDeveloper 21.4.3 and 21.4.2 both have the above pair. Can we remove 2.12 so it stops throwing the flag on their scans?

    META-INF/MANIFEST.MF file inside the log4j-core.jar file contains the following lines toward the bottom and has several other references to 2.12 (note they are scanning log4j-core.jar but I'm not sure MANIFEST.MF is the actual file within it they are scaning for:

    .......

    Multi-Release: true

    Bundle-Activator: org.apache.logging.log4j.core.osgi.Activator

    Log4jReleaseVersionJava7: 2.12.3

    Log4jReleaseVersion: 2.17.1

    Implementation-Title: Apache Log4j Core

    --------------

    The guys doing the scanning are saying they have over a hundred other machines they are working on doing this scanning also.

    Thanks,

    James

  • thatJeffSmith-Oracle
    thatJeffSmith-Oracle Distinguished Product Manager Posts: 8,571 Employee

    You can remove the log4j jar, but the flag being raised isn't valid.

  • User_QRKN0
    User_QRKN0 Member Posts: 7 Green Ribbon
    edited May 26, 2022 11:33PM

    Jeff, I appreciate your help, but the comments that the flat being raised is invalid is not good enough for Big Army who scans hundreds of thousands of computers and are flagging these because 2.12 exists in the logj jar files along with the 2.17 version.

    If these issues are not mitigated then they want to shut systems down until they are. Yes, I can go around to all the installations of SQLDeveloper and delete the logj4 jar files, but what happens when someone installs the latest SQLDeveloper again??

    Would you be kind enough to put in a word to have these files updated to remove the 2.12 references in a new 21.4.4 version of SQLDeveloper? That way when someone downloads the latest it will not start flagging those systems. Again, I believe you that this may not be a real vulnerability, but the scans are what must be satisfied.

    Thank-you,

    James