For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!
Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.
Hi,
I have a session that performs an update that blocks a set of sessions that make inserts on the same table. The set of sessions with the insert statement have the event tx index contention, how is it possible?
Thanks for your help
Version 21.4 from yesterday fixes this issue
That does not answer the question. Is 19.2 vulnerable to the log4j attack?
Correct. But it shows the way to another solution.
I am not looking for another solution, I need to gauge the risk involved with version 19.2 installed on hundreds of workstations. Distributing a new version requires all those users to install it, and force update is not 100% proof.
Yes, 19.2 has that vulnerability, The attack vector would be pretty narrow for a desktop application like SQL Developer. Is it a 0% chance? no. So you should be upgrading.
And you should be upgrading more than every 2.5 years, log4j or no log4j.
If you upgrade to 21.4 without a new Java JDK, is it still fixed? I have jdk1.8.0_251
Yes, there's no relationship there.
I did download the newest sqldeveloper from OTN, versionVersion 21.4.0.346.2239 - December 13, 2021. But I that version has still an log4j-core.jar with a JndiLookup.class in it. Is there a new version? or is this still 'unvulnerable' version of sqldeveloper? regards,
Ivan
We updated the log4j library to address the CVE. I think we'll try to completely remove it since we don't really use it sometime next year.
Jeff,
So you are saying the sqldeveloper version 21.4.0.346.2239 from OTN is the correct one despite the JndiLookup.class in the log4j-core.jar file?
regards,
Hi Ivan, In another post it has been mentioned Log4J 2.15 does not fix it completely and Jeff also mention to hold for a new version. Jan-Pieter
I installed 21.4 on OSX
Performance of SQL-Queries in Worksheet is very poor
I noticed that automatically this statement is excuted: select distinct owner, object_name from all_procedures order by owner, object_name On an Oracle eBS Installation this is running for ages. What is that good for? Can that be deactivated?
We run many queries on a background thread so that the parser can bring you all those juicey features like code completion.
If you have privileged access, we'll use the DBA_ views instead - which are known to be much faster than the ALL_ views. If these data dictionary views are slow in your EBS system, your data dictionary stats may need to be updated - work with your DBA to troubleshoot database performance problems.
OK, understand How can that be disabled? In a previous version this issue did not occur at all.
I disabled Code Completion in the preferences, but no effect.
I'm not sure behavior here has changed...are you saying that query is not being used in 21.2? You can't disable code completion, you can only disable AUTOMATIC code completion.
I think it was version 19.??
On an eBS environment where you can have 100 of thousands of procedures because eBS is HUGE.... such automatic queries do not really help. Can that be deactivated?
Just installed 21.2.0.187 and until now the issue does not occur.
On an eBS environment where you can have 100 of thousands of procedures because eBS is HUGE.... such automatic queries do not really help.
Agreed, I'm working with developers now to sort this out. Stay tuned. Also in the future, please start new threads for new problems/questions. It makes monitoring these forums and problems so much easier.
Will do, thx
Hi Jeff, Downloaded the new Sql Developer Version 21.4.0.346 Do we need to uninstall the older versions ? Thanks
Once you're happy with the new version, yes, you probably should.
21.4.1 with update 16 of log4j is now available
SQL Developer 21.4 Version 21.4.0.346.2239 - December 13, 2021 - Contains Log4jReleaseVersion: 2.15 which does not fully remediate the vulnerability. Version 21.4.1.349.1822 - December 15, 2021 - Contains Log4jReleaseVersion: 2.16 which is the latest.
Hi! Is there any official statement from Oracle regarding Log4j? If so, would you, please, write the link here? Thanks! Best regards Nasser Hosseini
Yes there are multiple solutions published in My Oracle Support portal.
Hi, looks like Log4j 2.16 is vulnerable too, see https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surprise-theres-a-217-fixing-dos/
Yes, there is a Denial Of Service risk, but is someone going to shutdown your SQL Developer desktop application Service? If we make another update available, I'll be sure to update this thread.
No, it's in a LAN. OK, Thanks
I think that log4j version 2.17 is available. The previous version of Sql Developer with sql4j 2.15 was updated in week? Before we start installation on hundreds machines, I'd like to know if Oracle is going to publish new SqlDev with log4j 2.17 in next couple of days/weeks/months? Thank you.
No plans as of today. Update 17 of the log4J library addresses denial of service attacks...with SQL Developer, there is no service to deny.
The larger issue is our company is scanning for anything 2.16 or below and quarantining them from the network. So yes, SQL developer does not have services, but for a lot, its still pinging in vulnerability scans and causing issues from that stance. It needs a patch.
Your scanner needs an exception/rule for 'if SQL Developer'...
Jeff, We have Oracle client software installed on application servers and our scanners are also reporing vulnerabilities like CVE-2021-4104. Adding exceptions to the scanner is not an option (Ciso demand). But I think Sqldeveloper can be removed as we don't use it on application servers. On oui I don't see a uninstall option for sqldeveloper. Can it just be removed?
Yes
Like Matt above, this is not an option for us. Our only option is to update the software, remove it, or get our machines quarantined...
I have an update in the works so that this won't get flagged by your scanners, even if the vulnerability doesn't affect SQLDev. It will also include a few other showstopper bug fixes. Timing would be in next few days/weeks.
Hi, May I ask if an earlier Sqldeveloper version 4.1.3 has the vulnerability issue of the log4j? In our setup many of our users are still using an earlier version.
Assume yes.
"The Apache Log4j team has issued patches and suggested mitigation steps to address the Log4j security flaw. Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability. Log4j 2.x mitigation: Implement one of the mitigation techniques. Java 8 (or later) users should upgrade to release 2.16.0. Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon). Otherwise, Apache recommends removing the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. " Have I got it correct? sqldeveloper used to use log4j version 1.2 that is not impacted by this vulnerability. The latest version has been upgraded to log4j version 2.15 that is not a recommended version.
If that is correct I rather stay on the older version.
/Magnus
No, not correct. Users requiring Java 7 should upgrade to release 2.12.2 We no longer support Java 7, full stop. The latest version has been upgraded to log4j version 2.15 that is not a recommended version. 21.4.1 ships with log4j 2.16. 21.4.2 (probably out next week) will have log4j 2.17 - although we don't see that as absolutely necessary, we're doing it as log4j scanners aren't exactly logical when it comes to what is a problem, and instead just says it's always bad - maybe not a bad thing in hindsight.
Great news! I will make sure we move on to at least 21.4.1
Thanks, Magnus
Hi everyone,
Just looking for some guidance regarding sql developer installs and log4j files.
What version is currently recommended to upgrade to so we avoid log4j vulnerabilities?
The current version (22.2.1)
Thanks for the quick response Jeff! and the vulnerabilities are removed from this version? or are there still some files present but aren't exploitable?
there are no known CVEs present in this version of SQLDev - you're good
@thatjeffsmith-oracle
Hello Jeff
Sorry to bring up an older article but we are just going through some exploitable issues
One we noticed was older versions of sql floating around had the log4j vulnerability
21.2 and 19.4 and 18.4
Instead of trying to get all these users to update. Can it be forcefully mitigated? Example what would break if we deleted the log4j-core.jar file? Would it break stuff? What feature does this use? As this might be good info to to know prior to changing anything
I am not a user of sql developer so I dont know
Is the vulnerability really a problem for the SQL Developer client application? Log4j must use insecure URLs to exploit the vulnerability.
Yes, you can delete the jar.