Can I delete $ORACLE_HOME/md/property_graph/lib/log4j-core-2.9.0.jar file?

I have done the following on my Oracle Windows server with one Oracle home directory for a quite old Oracle version in C:\oracle\product\12.1.0\dbhome_1\:

Executed these commands:

c:
cd \oracle
md log4j-backup
cd log4j-backup
xcopy C:\oracle\product\12.1.0\dbhome_1\log4j*.jar /s /q
del /s /q C:\oracle\product\12.1.0\dbhome_1\log4j*.jar

The above creates a copy of the log4j jar files in c:\oracle\log4j-backup with same relative paths as they had below the Oracle home directory, then deletes the original jar files.

After this, I used 7zip to create log4j-backup.zip in c:\oracle\log4j-backup, deleting the original files after zipping. If we would ever want to restore log4j, we could unpack the zip in the original source directory C:\oracle\product\12.1.0\dbhome_1.

Rebooted the Oracle server, then checked: everything still works fine, bye bye log4j 😀

Actually, Oracle 12c still used log4j 1.x, that is less vulnerable than log4j 2.x used in newer versions, but our security officer pointed out to me that 1.x also has a vulnerability described in https://www.cve.org/CVERecord?id=CVE-2021-4104. So better safe than sorry.

So Oracle actually has released a fix for log4j and spatial for 18c as patch 33674035. The problem is they annoyingly made it for 18.16 (33339024) which seems to be for an update only released for Exadata. The last version of 18c available to us mere mortals is 18.14 (32524155).

The work around for this is to verify you are patched to 18.14 then modify the inventory.xml and change

  <prereq_oneoffs>

    <prereq oneoff_id="33339024"/>

  </prereq_oneoffs>

  <overlay_oneoffs>

    <overlay oneoff_id="33339024"/>

  </overlay_oneoffs>

To

  <prereq_oneoffs>

    <prereq oneoff_id="32524155"/>

  </prereq_oneoffs>

  <overlay_oneoffs>

    <overlay oneoff_id="32524155"/>

  </overlay_oneoffs>

Now you can apply this patch to 18.14. Of course doing this is unsupported, but 18c is out of support anyway and this is likely to be the last patch you'll ever apply to it.

According to: Database Vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45104, and CVE-2021-45105 with Oracle Spatial and Graph (Doc ID 2828303.1)

1. Log4jv2 was part of Oracle Spatial, and was present in $ORACLE_HOME/md/jlib directory starting with 12.2. This was a dependency of a component in the Oracle Spatial and Graph Network Data Model (NDM) Server. The NDM Server is not configured by default and must be manually deployed in a WLS container by customers wishing to use it. Even when deployed, no logging was done through the log4j library – there is no code execution path that calls the impacted library. For this reason, even databases with NDM deployed in a WLS are evaluated as not vulnerable to CVE-2021-44228 and CVE-2021-45046.

These log4j files can be removed without effect to the DB features and without shutting down the DB. These files are not loaded into the DB Java VM

2. PATCH FOR VULNERABILITY WITH SPATIAL: Oracle Development has produced Patch 33695048 which is applicable to October 2021 DBRU installations in 12.2, 18.14, and 21.4. 

Patch 33695048 replaces patch 33674035, which is still available for download. You must rollback 33674035 in order to apply 33695048

3.PROPERTY GRAPH JAR FILES IN THE SPATIAL ORACLE_HOME DIRECTORY

Some Oracle Spatial and Graph installations may have Property Graph jar files such as the following:

<ORACLE_HOME>/md/property_graph/lib/log4j-api-2.11.0.jar

<ORACLE_HOME>/md/property_graph/lib/log4j-core-2.11.0.jar

The entire property_graph subdirectory is leftover from previous years when the Property Graph Server files were shipped with the database. With the release of Oracle Graph Server and Client 20.1 in 2020, these files are shipped with that product and the files shipped with the database have no purpose and Oracle recommends removing them (See Note 2652121.1).