Forum Stats

  • 3,836,939 Users
  • 2,262,206 Discussions
  • 7,900,149 Comments

Discussions

Can I delete $ORACLE_HOME/md/property_graph/lib/log4j-core-2.9.0.jar file?

We have a bit of a predicament, we are on 18c on Oracle Linux 7 and seems that Oracle will not be releasing any new patches for this release. We have a plan to upgrade to 19c, but that will take a few months to accomplish. Security scans flagged $ORACLE_HOME/md/property_graph/lib/log4j-core-2.9.0.jar file as a vulnerability with the recent announcement from apache. $ORACLE_HOME/md/... directory seems to be related to spatial or locator options, we don't use either one. Can we just delete this file? I've got a SR open with Oracle support, but they are just pointing to the "Apache Log4j Security Alert CVE-2021-44228 Products and Versions ( Doc ID 2827611.1 )" document. It states that db is not affected by this vulnerability, but security tools don't like the presence of that file.

Tagged:

Best Answer

  • user13297735
    user13297735 Member Posts: 2 Blue Ribbon
    Answer ✓

    Found this MOS note:

    Database Vulnerability CVE-2021-44228 With Oracle Spatial and Graph (Doc ID 2828303.1)

    "These log4j files can be removed without affect to the DB features and without shutting down the DB. These files are not loaded into the DB Java VM."

Answers

  • user13297735
    user13297735 Member Posts: 2 Blue Ribbon
    edited Dec 16, 2021 9:13AM

    We have exactly the same issue in DB 12.2.0.1. Security detects this file. I told them it was for Spatial which is not enabled in the DB but they want to know if we can remove the file?

    $ORACLE_HOME/md/jlib/log4j-core-2.9.1.jar

  • user13297735
    user13297735 Member Posts: 2 Blue Ribbon
    Answer ✓

    Found this MOS note:

    Database Vulnerability CVE-2021-44228 With Oracle Spatial and Graph (Doc ID 2828303.1)

    "These log4j files can be removed without affect to the DB features and without shutting down the DB. These files are not loaded into the DB Java VM."

  • User_A81NX
    User_A81NX Member Posts: 2 Red Ribbon

    In our 12c R2 environment, I see 7 different log4j jars in the md\jlib directory. It looks like everything in that jlib directory is for Oracle spatial, which we do not use. Do you think its ok to just delete them all to be safe?

    log4j-1.2.17.jar

    log4j-api-2.9.1.jar

    log4j-api-2.13.2.jar

    log4j-core-2.9.1.jar

    log4j-core-2.13.2.jar

    log4j-slf4j-imp-2.9.1.jar

    log4j-slf4j-impl-2.13.2.jar

  • User_XLG6N
    User_XLG6N Member Posts: 1 Green Ribbon

    I have done the following on my Oracle Windows server with one Oracle home directory for a quite old Oracle version in C:\oracle\product\12.1.0\dbhome_1\:

    Executed these commands:

    c:
    cd \oracle
    md log4j-backup
    cd log4j-backup
    xcopy C:\oracle\product\12.1.0\dbhome_1\log4j*.jar /s /q
    del /s /q C:\oracle\product\12.1.0\dbhome_1\log4j*.jar
    

    The above creates a copy of the log4j jar files in c:\oracle\log4j-backup with same relative paths as they had below the Oracle home directory, then deletes the original jar files.

    After this, I used 7zip to create log4j-backup.zip in c:\oracle\log4j-backup, deleting the original files after zipping. If we would ever want to restore log4j, we could unpack the zip in the original source directory C:\oracle\product\12.1.0\dbhome_1.

    Rebooted the Oracle server, then checked: everything still works fine, bye bye log4j 😀

    Actually, Oracle 12c still used log4j 1.x, that is less vulnerable than log4j 2.x used in newer versions, but our security officer pointed out to me that 1.x also has a vulnerability described in https://www.cve.org/CVERecord?id=CVE-2021-4104. So better safe than sorry.

    User_A81NXMarkStewart
  • User_A81NX
    User_A81NX Member Posts: 2 Red Ribbon

    Thanks. I had an SR open with Oracle support and they also said I could delete all of those log4j jars in that directory too, since its not loaded in the DB Java VM.

    User_MX6E1Flabbergasted George
  • damills
    damills Member Posts: 11 Blue Ribbon

    So Oracle actually has released a fix for log4j and spatial for 18c as patch 33674035. The problem is they annoyingly made it for 18.16 (33339024) which seems to be for an update only released for Exadata. The last version of 18c available to us mere mortals is 18.14 (32524155).

    The work around for this is to verify you are patched to 18.14 then modify the inventory.xml and change

      <prereq_oneoffs>

        <prereq oneoff_id="33339024"/>

      </prereq_oneoffs>

      <overlay_oneoffs>

        <overlay oneoff_id="33339024"/>

      </overlay_oneoffs>

    To

      <prereq_oneoffs>

        <prereq oneoff_id="32524155"/>

      </prereq_oneoffs>

      <overlay_oneoffs>

        <overlay oneoff_id="32524155"/>

      </overlay_oneoffs>


    Now you can apply this patch to 18.14. Of course doing this is unsupported, but 18c is out of support anyway and this is likely to be the last patch you'll ever apply to it.

    Flabbergasted George
  • damills
    damills Member Posts: 11 Blue Ribbon

    An official version of 33674035 for 18.14 has been released.

    Flabbergasted George
  • Tzonka Dimova
    Tzonka Dimova Member Posts: 1 Red Ribbon

    According to: Database Vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45104, and CVE-2021-45105 with Oracle Spatial and Graph (Doc ID 2828303.1)

    1. Log4jv2 was part of Oracle Spatial, and was present in $ORACLE_HOME/md/jlib directory starting with 12.2. This was a dependency of a component in the Oracle Spatial and Graph Network Data Model (NDM) Server. The NDM Server is not configured by default and must be manually deployed in a WLS container by customers wishing to use it. Even when deployed, no logging was done through the log4j library – there is no code execution path that calls the impacted library. For this reason, even databases with NDM deployed in a WLS are evaluated as not vulnerable to CVE-2021-44228 and CVE-2021-45046.

    These log4j files can be removed without effect to the DB features and without shutting down the DB. These files are not loaded into the DB Java VM

    2. PATCH FOR VULNERABILITY WITH SPATIAL: Oracle Development has produced Patch 33695048 which is applicable to October 2021 DBRU installations in 12.2, 18.14, and 21.4

    Patch 33695048 replaces patch 33674035, which is still available for download. You must rollback 33674035 in order to apply 33695048

    3.PROPERTY GRAPH JAR FILES IN THE SPATIAL ORACLE_HOME DIRECTORY

    Some Oracle Spatial and Graph installations may have Property Graph jar files such as the following:

    <ORACLE_HOME>/md/property_graph/lib/log4j-api-2.11.0.jar

    <ORACLE_HOME>/md/property_graph/lib/log4j-core-2.11.0.jar

    The entire property_graph subdirectory is leftover from previous years when the Property Graph Server files were shipped with the database. With the release of Oracle Graph Server and Client 20.1 in 2020, these files are shipped with that product and the files shipped with the database have no purpose and Oracle recommends removing them (See Note 2652121.1).

    Flabbergasted George