Skip to Main Content

Oracle Database Discussions

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Can I delete $ORACLE_HOME/md/property_graph/lib/log4j-core-2.9.0.jar file?

We have a bit of a predicament, we are on 18c on Oracle Linux 7 and seems that Oracle will not be releasing any new patches for this release. We have a plan to upgrade to 19c, but that will take a few months to accomplish. Security scans flagged $ORACLE_HOME/md/property_graph/lib/log4j-core-2.9.0.jar file as a vulnerability with the recent announcement from apache. $ORACLE_HOME/md/... directory seems to be related to spatial or locator options, we don't use either one. Can we just delete this file? I've got a SR open with Oracle support, but they are just pointing to the "Apache Log4j Security Alert CVE-2021-44228 Products and Versions ( Doc ID 2827611.1 )" document. It states that db is not affected by this vulnerability, but security tools don't like the presence of that file.

This post has been answered by user13297735 on Dec 16 2021
Jump to Answer

Comments

user13297735

We have exactly the same issue in DB 12.2.0.1. Security detects this file. I told them it was for Spatial which is not enabled in the DB but they want to know if we can remove the file?
$ORACLE_HOME/md/jlib/log4j-core-2.9.1.jar

user13297735
Answer

Found this MOS note:
Database Vulnerability CVE-2021-44228 With Oracle Spatial and Graph (Doc ID 2828303.1)
"These log4j files can be removed without affect to the DB features and without shutting down the DB. These files are not loaded into the DB Java VM."

Marked as Answer by Flabbergasted George · Dec 16 2021
Josh Stansfield

In our 12c R2 environment, I see 7 different log4j jars in the md\jlib directory. It looks like everything in that jlib directory is for Oracle spatial, which we do not use. Do you think its ok to just delete them all to be safe?
log4j-1.2.17.jar
log4j-api-2.9.1.jar
log4j-api-2.13.2.jar
log4j-core-2.9.1.jar
log4j-core-2.13.2.jar
log4j-slf4j-imp-2.9.1.jar
log4j-slf4j-impl-2.13.2.jar

User_XLG6N

I have done the following on my Oracle Windows server with one Oracle home directory for a quite old Oracle version in C:\oracle\product\12.1.0\dbhome_1\:
Executed these commands:

c:
cd \oracle
md log4j-backup
cd log4j-backup
xcopy C:\oracle\product\12.1.0\dbhome_1\log4j*.jar /s /q
del /s /q C:\oracle\product\12.1.0\dbhome_1\log4j*.jar

The above creates a copy of the log4j jar files in c:\oracle\log4j-backup with same relative paths as they had below the Oracle home directory, then deletes the original jar files.
After this, I used 7zip to create log4j-backup.zip in c:\oracle\log4j-backup, deleting the original files after zipping. If we would ever want to restore log4j, we could unpack the zip in the original source directory C:\oracle\product\12.1.0\dbhome_1.
Rebooted the Oracle server, then checked: everything still works fine, bye bye log4j
Actually, Oracle 12c still used log4j 1.x, that is less vulnerable than log4j 2.x used in newer versions, but our security officer pointed out to me that 1.x also has a vulnerability described in https://www.cve.org/CVERecord?id=CVE-2021-4104. So better safe than sorry.

Josh Stansfield

Thanks. I had an SR open with Oracle support and they also said I could delete all of those log4j jars in that directory too, since its not loaded in the DB Java VM.

damills

So Oracle actually has released a fix for log4j and spatial for 18c as patch 33674035. The problem is they annoyingly made it for 18.16 (33339024) which seems to be for an update only released for Exadata. The last version of 18c available to us mere mortals is 18.14 (32524155).
The work around for this is to verify you are patched to 18.14 then modify the inventory.xml and change
<prereq_oneoffs>
<prereq oneoff_id="33339024"/>
</prereq_oneoffs>
<overlay_oneoffs>
<overlay oneoff_id="33339024"/>
</overlay_oneoffs>
To
<prereq_oneoffs>
<prereq oneoff_id="32524155"/>
</prereq_oneoffs>
<overlay_oneoffs>
<overlay oneoff_id="32524155"/>
</overlay_oneoffs>

Now you can apply this patch to 18.14. Of course doing this is unsupported, but 18c is out of support anyway and this is likely to be the last patch you'll ever apply to it.

damills

An official version of 33674035 for 18.14 has been released.

Tzonka Dimova

According to: Database Vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45104, and CVE-2021-45105 with Oracle Spatial and Graph (Doc ID 2828303.1)
1. Log4jv2 was part of Oracle Spatial, and was present in $ORACLE_HOME/md/jlib directory starting with 12.2. This was a dependency of a component in the Oracle Spatial and Graph Network Data Model (NDM) Server. The NDM Server is not configured by default and must be manually deployed in a WLS container by customers wishing to use it. Even when deployed, no logging was done through the log4j library – there is no code execution path that calls the impacted library. For this reason, even databases with NDM deployed in a WLS are evaluated as not vulnerable to CVE-2021-44228 and CVE-2021-45046.
These log4j files can be removed without effect to the DB features and without shutting down the DB. These files are not loaded into the DB Java VM
2. PATCH FOR VULNERABILITY WITH SPATIAL: Oracle Development has produced Patch 33695048 which is applicable to October 2021 DBRU installations in 12.2, 18.14, and 21.4.
Patch 33695048 replaces patch 33674035****, which is still available for download. You must rollback 33674035 in order to apply 33695048
3.PROPERTY GRAPH JAR FILES IN THE SPATIAL ORACLE_HOME DIRECTORY
Some Oracle Spatial and Graph installations may have Property Graph jar files such as the following:
<ORACLE_HOME>/md/property_graph/lib/log4j-api-2.11.0.jar
<ORACLE_HOME>/md/property_graph/lib/log4j-core-2.11.0.jar
The entire property_graph subdirectory is leftover from previous years when the Property Graph Server files were shipped with the database. With the release of Oracle Graph Server and Client 20.1 in 2020, these files are shipped with that product and the files shipped with the database have no purpose and Oracle recommends removing them (See Note 2652121.1).

1 - 8

Post Details

Added on Dec 15 2021
8 comments
13,679 views