December 2021 Apache Log4j Vulnerabilities on Oracle Products and Services(Doc ID 2827611.1)

崔恺
2023-12-01

PURPOSE

On December 10th, Oracle released Security Alert CVE-2021-44228 in response to the disclosure of a new vulnerability affecting Apache Log4j prior to version 2.15.

Subsequently, the Apache Software Foundation released Apache version 2.16 which addresses an additional vulnerability (CVE-2021-45046). Mitigation instructions from Apache for these issues also evolved over time.

This document details the Oracle Products and Versions affected by CVE-2021-45046. This information generally supersedes the information previously published for vulnerability CVE-2021-44228.

SCOPE

This document applies to all Oracle products and Oracle cloud services.

DETAILS

The initial content for this note was limited to the impact of the Apache Log4j vulnerability CVE-2021-44228 on Oracle products, for releases and versions that are in Premier Support or Extended Support under the Oracle Lifetime Support Policy. This obsolete note is archived as MOS Note ID 2828594.1 and will no longer be updated.

Note:

  • Product releases that are not under Premier Support or Extended Support are not tested for the presence of this vulnerability.
  • Reminder: Oracle strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay. For the most recent Critical Patch Updates, see https://www.oracle.com/security-alerts/.
  • Apache reported that CVE-2021-44228 applies only to Log4j versions 2.0-2.14.1, and does not apply to Log4j versions 1.x.
  • Apache reported that CVE-2021-45046 applies only to Log4j versions 2.0-2.15, and does not apply to Log4j versions 1.x.
  • Oracle believes at the time of the publication of this document that product releases that are not listed in Tables 1-4 below are not affected by this vulnerability in their default product distribution.

This page was last updated on: December 15, 2021 at 11:53 PM PST.

Applicability of these vulnerabilities to Oracle cloud environments

The Oracle cloud operations and security teams are evaluating all information related to CVE-2021-45046 and CVE-2021-44228. They are evaluating all relevant third-party fixes as they become available.

Oracle will perform the required remediation activities (patches and mitigations) in accordance with applicable change management processes. This MOS note will be updated to provide information about the remedial status of all Oracle cloud environments (e.g., Oracle Applications, Oracle NetSuite, Oracle Cloud Infrastructure, Oracle Industry Clouds, etc.).

Note that patching and mitigation activities in these environments have been ongoing since the initial release of the Alert, and some customers may have already received notifications of mandatory maintenance (if the maintenance resulted in a noticeable impact such as service interruption).

Applicability of Security Alert CVE-2021-45046 to Oracle on-premises products

This section provides information about the availability of patches or mitigation instructions for products physically located in customers’ on-premise locations (including traditionally licensed products and cloud on-premises components).

1.0 Oracle products with patches or mitigation available

Updates released in response to CVE-2021-45046 are pending and will address CVE-2021-44228. Information about patches previously released in response to CVE-2021-44228 have been archived in MOS Note 2828594.1.

Patch Availability TableMOS note
Affected ProductsPatch Availability
Agile Engineering Data Management [Product ID 4436]2827823.1
Agile PLM Framework [Product ID 4461]2827700.1
Automatic Service Request [Product ID 9042]2828600.1
Communications Evolved Communications Application Server [Product ID 10994]2828268.1
Communications WebRTC Session Controller [Product ID 10811]2828270.1
Financial Services Economic Capital Advanced [Product ID 9475]2827801.1
Health Sciences Data Management Workbench [Product ID 9581]2827966.1
Hyperion Essbase [Product ID 4379]2827793.1
Instantis EnterpriseTrack [Product ID 10563]2827904.1
Insurance Insbridge Rating and Underwriting [Product ID 5484]2827731.1
Insurance Policy Administration J2EE [Product ID 5279]2827731.1
Insurance Rules Palette [Product ID 5288]2827731.1
Oracle Agile Engineering Collaboration [Product ID 4439]2827700.1
Oracle Analytics Desktop [Product ID 12791]2828540.1
Oracle Analytics Server [Product ID 2025]2828398.1
Oracle Big Data Appliance [Product ID 9734]2828023.1
Oracle Communications Performance Intelligence Center (PIC) Software [Product ID 11044]2828122.1
Oracle Communications Service Broker [Product ID 8565]2827833.1
Oracle Communications Services Gatekeeper [Product ID 5381]2828256.1
Oracle Data Integrator [Product ID 2196]2827929.1
Oracle E-Business Suite [Product ID 1745]2827804.1
Oracle EBS Extensions for Oracle Endeca - INSTALL [Product ID 10240]2827804.1
Oracle Enterprise Manager [Product ID 1370]2828296.1
Oracle Enterprise Manager for Peoplesoft [Product ID 2131]2828293.1
Oracle Enterprise Manager Ops Center [Product ID 9835]2828286.1
Oracle Enterprise Repository [Product ID 5326]2827793.1
Oracle Financial Services Analytical Applications Infrastructure [Product ID 5680]2827801.1
Oracle Financial Services Asset Liability Management [Product ID 5662]2827801.1
Oracle Financial Services Data Integration Hub [Product ID 11289]2827801.1
Oracle Financial Services Loan Loss Forecasting and Provisioning [Product ID 9474]2827801.1
Oracle Financial Services Market Risk Measurement and Management [Product ID 13111]2827801.1
Oracle Financial Services Model Management and Governance [Product ID 14276]2827801.1
Oracle Fusion Middleware [Product ID 1032]2827793.1
Oracle GoldenGate Big Data and Application Adapters [Product ID 5760]2828058.1
Oracle GoldenGate Veridata [Product ID 5758]2828356.1
Oracle Health Insurance Analytics [Product ID 9656]2827793.1
Oracle Health Insurance Claims Pricing [Product ID 10295]2827793.1
Oracle Health Insurance Enterprise Commissions [Product ID 12596]2827793.1
Oracle Hospitality RES 3700 [Product ID 11596]2828515.1
Oracle Insurance Accounting Analyzer [Product ID 13809]2827801.1
Oracle Insurance Data Gateway [Product ID 13628]2827731.1
Oracle JDeveloper [Product ID 807]2827793.1
Oracle Managed File Transfer [Product ID 10198]2828548.1
Oracle Payment Interface [Product ID 13173]2827654.1
Oracle Platform Security for Java [Product ID 2233]2827793.1
Oracle Real-Time Decision Server [Product ID 2104]2827793.1
Oracle Reports Developer [Product ID 159]2827793.1
Oracle Retail Invoice Matching [Product ID 1810]2828547.1
Oracle Retail Predictive Application Server [Product ID 1823]2828260.1
Oracle Retail Store Inventory Management [Product ID 1838]2828601.1
Oracle Unified Directory [Product ID 9118]2827793.1
Oracle WebCenter Portal [Product ID 1696]2827977.1
Oracle WebCenter Sites [Product ID 9617]2828507.1
PeopleSoft PeopleTools [Product ID 5085]2828073.1
Primavera Analytics [Product ID 8577]2827736.1
Primavera Gateway [Product ID 10605]2827707.1
Primavera P6 Enterprise Project Portfolio Management [Product ID 5579]2827712.1
Primavera P6 Professional Project Management [Product ID 5580]2827712.1
Primavera Unifier [Product ID 10354]2827713.1
Siebel UI Framework [Product ID 9011]2828323.1
Utilities Network Management System [Product ID 2241]2827974.1

2.0 Oracle products with patches pending

Oracle has determined that the following Oracle products are vulnerable and do not currently have patches available for CVE-2021-45046:

  • Advanced Support Gateway [Product ID 9296]
  • Autovue for Agile Product Lifecycle Management [Product ID 4434]
  • Communications Application Session Controller [Product ID 10769]
  • Communications Convergent Charging Controller [Product ID 12985]
  • Communications Instant Messaging Server [Product ID 8495]
  • Communications Interactive Session Recorder [Product ID 10765]
  • Communications IP Service Activator [Product ID 2261]
  • Communications Messaging Server [Product ID 8496]
  • Communications Network Charging and Control [Product ID 4623]
  • Communications Offline Mediation Controller [Product ID 2269]
  • Communications Pricing Design Center [Product ID 9437]
  • Communications Session Report Manager [Product ID 10770]
  • Communications Session Route Manager [Product ID 10771]
  • Communications Unified Inventory Management [Product ID 4516]
  • Currency Transaction Reporting [Product ID 9784]
  • Demantra Demand Management [Product ID 2100]
  • Engineered Systems Utilities (Trace File Analyzer) [Product ID 10655]
  • Enterprise Metadata Management [Product ID 11264]
  • Financial Services Behavior Detection Platform [Product ID 9190]
  • Financial Services Foreign Account Tax Compliance Act Management [Product ID 10308]
  • Financial Services Lending and Leasing [Product ID 10484]
  • Financial Services Personal Trading Approval [Product ID 10647]
  • Financial Services Regulatory Reporting [Product ID 9142]
  • Financial Services Revenue Management and Billing [Product ID 2245]
  • FLEXCUBE Core Banking [Product ID 9101]
  • FLEXCUBE Investor Servicing [Product ID 9099]
  • Health Sciences Empirica Signal [Product ID 9646]
  • Health Sciences Information Manager [Product ID 9177]
  • Healthcare Foundation [Product ID 12950]
  • Hyperion Data Relationship Management [Product ID 4375]
  • Hyperion Financial Management [Product ID 4390]
  • Hyperion Planning [Product ID 4402]
  • Hyperion Profitability and Cost management [Product ID 4403]
  • Hyperion Tax Provision [Product ID 10505]
  • Insurance Calculation Engine [Product ID 10837]
  • Management Cloud Engine [Product ID 14252]
  • MySQL Enterprise Monitor [Product ID 8480]
  • Oracle Agile PLM MCAD Connector [Product ID 4440]
  • Oracle Banking Corporate Lending [Product ID 12989]
  • Oracle Banking Corporate Lending Process Management [Product ID 13701]
  • Oracle Banking Credit Facilities Process Management [Product ID 13703]
  • Oracle Banking Deposits and Lines of Credit Servicing [Product ID 13928]
  • Oracle Banking Enterprise Collections [Product ID 13390]
  • Oracle Banking Extensibility Workbench [Product ID 14124]
  • Oracle Banking Loans Servicing [Product ID 13927]
  • Oracle Banking Party Management [Product ID 13929]
  • Oracle Banking Platform [Product ID 9178]
  • Oracle Banking Treasury Management [Product ID 14133]
  • Oracle Communications ASAP [Product ID 2260]
  • Oracle Communications Billing and Revenue Management [Product ID 2136]
  • Oracle Communications BRM Elastic Charging Engine [Product ID 9742]
  • Oracle Communications Convergence [Product ID 8501]
  • Oracle Communications Session Element Manager [Product ID 11052]
  • Oracle Enterprise Performance Management [Product ID 4392]
  • Oracle Financial Services Anti Money Laundering Event Scoring [Product ID 13609]
  • Oracle Financial Services Balance Computation Engine [Product ID 14246]
  • Oracle Financial Services Balance Sheet Planning [Product ID 5663]
  • Oracle Financial Services Crime and Compliance Management Studio [Product ID 13595]
  • Oracle Financial Services Enterprise Case Management [Product ID 13545]
  • Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition [Product ID 13789]
  • Oracle FLEXCUBE Private Banking [Product ID 9110]
  • Oracle GoldenGate [Product ID 5757]
  • Oracle GoldenGate Studio [Product ID 10945]
  • Oracle Healthcare Translational Research [Product ID 9427]
  • Oracle Hospitality Gift and Loyalty [Product ID 11600]
  • Oracle Hospitality Labor Management [Product ID 11601]
  • Oracle Hospitality OPERA 5 [Product ID 12726]
  • Oracle Hospitality Reporting and Analytics [Product ID 11599]
  • Oracle Hospitality Simphony [Product ID 11594]
  • Oracle Hospitality Simphony First Edition [Product ID 11591]
  • Oracle Hospitality Token Proxy Service [Product ID 13387]
  • Oracle Hyperion Financial Close Management [Product ID 5616]
  • Oracle Identity Manager Connector [Product ID 1999]
  • Oracle Insurance Allocation Manager for Enterprise Profitability [Product ID 13946]
  • Oracle Insurance Policy Administration Operational Data Store for Life and Annuity [Product ID 13339]
  • Oracle Policy Automation [Product ID 5624]
  • Oracle Retail Advanced Inventory Planning [Product ID 1785]
  • Oracle Retail EFTLink [Product ID 11516]
  • Oracle Retail Integration Bus [Product ID 1807]
  • Oracle Retail Merchandising System [Product ID 1816]
  • Oracle Retail Price Management [Product ID 1824]
  • Oracle Retail Xstore Point of Service [Product ID 11513]
  • Oracle Spatial and Graph [Product ID 619]
  • Product Lifecycle Analytics [Product ID 9387]
  • SQL Developer [Product ID 1875]
  • Zero Data Loss Recovery Appliance [Product ID 11342]

3.0 Oracle products under investigation

The following Oracle products are under investigation and may be impacted by vulnerability CVE-2021-45046:

  • Functional Testing Advanced Pack for Oracle Utilities [Product ID 11163]
  • Oracle Big Data Spatial and Graph [Product ID 11528]
  • Oracle Fabric Manager [Product ID 10477]
  • Oracle Policy Automation Connector for Siebel [Product ID 5627]
  • Oracle Real-Time Scheduler [Product ID 2238]
  • Oracle Retail Assortment Planning [Product ID 1788]
  • Oracle Retail Back Office [Product ID 2013]
  • Oracle Retail Bulk Data Integration [Product ID 12968]
  • Oracle Retail Central Office [Product ID 2016]
  • Oracle Retail Customer Management and Segmentation Foundation [Product ID 13388]
  • Oracle Retail Data Extractor for Merchandising [Product ID 12936]
  • Oracle Retail Extract Tranform and Load [Product ID 1803]
  • Oracle Retail Financial Integration [Product ID 10722]
  • Oracle Retail Fiscal Management [Product ID 9038]
  • Oracle Retail Insights [Product ID 10263]
  • Oracle Retail Order Management System Cloud Service [Product ID 11519]
  • Oracle Retail Returns Management [Product ID 2020]
  • Oracle Retail Service Backbone [Product ID 10867]
  • Oracle SuperCluster [Product ID 10011]
  • Oracle Utilities Application Framework [Product ID 2245]
  • Oracle Utilities Asset Management Base [Product ID 9574]
  • Oracle Utilities Customer to Meter [Product ID 13345]
  • Oracle Utilities Smart Grid Gateway Adapter for Echelon [Product ID 9129]
  • Oracle Utilities Smart Grid Gateway Adapter for Landis Gyr [Product ID 9130]
  • Oracle Utilities Smart Grid Gateway MV90 Adapter for Itron [Product ID 9128]
  • Oracle Utilities Testing Accelerator [Product ID 13784]
  • Oracle Verrazzano Enterprise Container Platform [Product ID 14360]
  • Retail Analytics [Product ID 9346]
  • Oracle Solaris Operating System [Product ID 10006]
  • Utilities Meter Data Management [Product ID 4101]
  • Utilities Mobile Workforce Management [Product ID 2239]
  • Utilities Smart Grid Gateway [Product ID 9127]
  • Utilities Smart Grid Gateway Adapter Development Kit [Product ID 10356]
  • Utilities Smart Grid Gateway Adapter for Itron OpenWay [Product ID 10211]
  • Utilities Smart Grid Gateway Adapter for Sensus RNI [Product ID 9563]
  • Utilities Smart Grid Gateway Adapter for Silver Spring Networks [Product ID 9560]

4.0 Oracle products with impacted underlying Oracle components

Customers of the following 12 Oracle products should apply the necessary updates, when available, to any impacted underlying Oracle products that are listed in Tables 1 and 2 above:

  • Oracle Access Manager / Webgates [Product ID 5565]
  • Oracle Access Manager [Product ID 5565]
  • Oracle Coherence [Product ID 2545]
  • Oracle Forms [Product ID 45]
  • Oracle Global Lifecycle Management Repository Creation Utility [Product ID 96]
  • Oracle HTTP Server [Product ID 1042]
  • Oracle Identity Manager [Product ID 1980]
  • Oracle Internet Directory [Product ID 355]
  • Oracle SOA Suite [Product ID 1162]
  • Oracle WebCenter Content [Product ID 2271]
  • Oracle WebCenter Content: Imaging [Product ID 4576]
  • Oracle WebCenter Enterprise Capture [Product ID 10212]

5.0 Oracle products not requiring patches

At this point in time, Oracle doesn’t believe the following products to be affected by vulnerability CVE-2021-45046:

  • Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite [Product ID 4589]
  • Agile Product Lifecycle Management Integration Pack for SAP: Design to Release [Product ID 5460]
  • Application Testing Suite [Product ID 4622]
  • Argus Analytics [Product ID 9171]
  • Argus Mart [Product ID 10383]
  • Banking Digital Experience [Product ID 12605]
  • Berkeley DB [Product ID 2051]
  • Commerce Platform [Product ID 9348]
  • Commerce Service Center [Product ID 9351]
  • Communications Converged Application Server [Product ID 5382]
  • Communications EAGLE FTP Table Base Retrieval [Product ID 11116]
  • Communications Network Integrity [Product ID 4491]
  • Communications Order and Service Management [Product ID 2270]
  • CRF Submit Requestor [Product ID 9641]
  • Database Gateway for APPC [Product ID 774]
  • Enterprise Data Quality [Product ID 9464]
  • Enterprise Manager for MySQL Database [Product ID 11166]
  • Enterprise Single Sign-On Suite Plus [Product ID 2074]
  • Exalytics Software [Product ID 9736]
  • FLEXCUBE Direct Banking [Product ID 9111]
  • Health Insurance Claims Management Data Marts [Product ID 9313]
  • Health Insurance Data Management [Product ID 10643]
  • Healthcare Data Repository [Product ID 9161]
  • Java Cloud Service [Product ID 10866] [See MOS Note 2828591.1]
  • JD Edwards EnterpriseOne Deployment Server [Product ID 4781]
  • JD Edwards EnterpriseOne Enterprise Server [Product ID 4781]
  • JD Edwards EnterpriseOne Enterprise Server Platform Pack [Product ID 4781]
  • JD Edwards EnterpriseOne Server Manager [Product ID 4781]
  • JD Edwards World [Product ID 4839]
  • Mobile Application Framework [Product ID 11055]
  • MySQL Server [Product ID 8478]
  • Oracle Adaptive Access Manager [Product ID 4419]
  • Oracle Application Express [Product ID 1348]
  • Oracle Audit Vault and Database Firewall [Product ID 9749]
  • Oracle Blockchain Cloud Service [Product ID 13444]
  • Oracle BPEL Process Manager 10g [Product ID 1669]
  • Oracle Business Intelligence Enterprise Edition [Product ID 2025]
  • Oracle Business Intelligence Publisher [Product ID 1479]
  • Oracle Client [Product ID 5]
  • Oracle Commerce Guided Search/Oracle Commerce Experience Mgr [Product ID 9633]
  • Oracle Communications Calendar Server [Product ID 8494]
  • Oracle Communications Contacts Server [Product ID 10696]
  • Oracle Communications Control Plane Monitor [Product ID 10764]
  • Oracle Communications EAGLE [Product ID 10768]
  • Oracle Communications EAGLE Application Processor [Product ID 11122]
  • Oracle Communications EAGLE Element Management System [Product ID 11125]
  • Oracle Communications EAGLE LNP Application Processor [Product ID 11118]
  • Oracle Communications Fraud Monitor [Product ID 10763]
  • Oracle Communications LSMS [Product ID 11114]
  • Oracle Communications MetaSolv Solution [Product ID 2267]
  • Oracle Communications Operations Monitor [Product ID 10761]
  • Oracle Communications Session Border Controller [Product ID 10750]
  • Oracle Communications User Data Repository [Product ID 11108]
  • Oracle Database (not exploitable) [Product ID 5] [See MOS Note 2796575.1]
  • Oracle Database Appliance [Product ID 9435]
  • Oracle Database Global Service Manager [Product ID 5]
  • Oracle Directory Server Enterprise Edition [Product ID 8512]
  • Oracle Documaker [Product ID 5477]
  • Oracle Enterprise Operations Monitor [Product ID 10762]
  • Oracle Enterprise Session Border Controller [Product ID 10757]
  • Oracle Enterprise Telephony Fraud Monitor [Product ID 13804]
  • Oracle Exadata Storage Server Software [Product ID 2546]
  • Oracle Fail Safe [Product ID 843]
  • Oracle Global Lifecycle Management FMW Installer [Product ID 12748]
  • Oracle GoldenGate for HP Nonstop [Product ID 13046]
  • Oracle Health Insurance Claims Management [Product ID 9307]
  • Oracle Health Insurance Claims Management Web Services [Product ID 9311]
  • Oracle Health Insurance Disbursements and Collections [Product ID 9308]
  • Oracle Health Insurance Long Term Care [Product ID 9394]
  • Oracle Health Insurance Policy Administration [Product ID 9306]
  • Oracle Health Insurance Policy Administration Data Marts [Product ID 9312]
  • Oracle Health Insurance Policy Administration Web Services [Product ID 9310]
  • Oracle Health Sciences Argus Safety [Product ID 5710]
  • Oracle Health Sciences Clinical Development Analytics [Product ID 5563]
  • Oracle Health Sciences InForm [Product ID 9636]
  • Oracle Integrated Lights Out Manager (ILOM) [Product ID 9849]
  • Oracle Java SE [Product ID 856]
  • Oracle Key Vault [Product ID 10221]
  • Oracle Linux [Product ID 1309]
  • Oracle MapViewer [Product ID 1215]
  • Oracle MiniCluster S7-2 Engineered System [Product ID 12598]
  • Oracle NoSQL Database [Product ID 13373]
  • Oracle Retail Allocation [Product ID 1786]
  • Oracle Retail Data Model [Product ID 2538]
  • Oracle Retail Sales Audit [Product ID 1834]
  • Oracle SD-WAN Aware [Product ID 13941]
  • Oracle SD-WAN Edge [Product ID 13940]
  • Oracle Secure Backup [Product ID 1522]
  • Oracle Service Architecture Leveraging Tuxedo (SALT) [Product ID 5435]
  • Oracle SPARC Server Firmware [Product ID 9846]
  • Oracle StorageTek Tape Analytics [Product ID 10085]
  • Oracle TimesTen In-Memory Database [Product ID 1870]
  • Oracle Tuxedo Application Rehosting Workbench [Product ID 8485]
  • Oracle Tuxedo Mainframe Adapter for OSI TP [Product ID 5439]
  • Oracle Virtual Directory [Product ID 1978]
  • Oracle VM [Product ID 4455]
  • Oracle VM VirtualBox [Product ID 8370]
  • Oracle Warehouse Builder [Product ID 9]
  • Oracle WebLogic Server (not exploitable) [Product ID 5242] [See MOS Note 2827793.1]
  • Oracle WebLogic Server For OCI Container Engine [Product ID 14223] [See MOS Note 2828530.1]
  • Oracle WebLogic Server For Oracle Cloud Infrastructure [Product ID 14031] [See MOS Note 2828556.1]
  • Oracle x86 Server Firmware [Product ID Multiple]
  • Oracle ZFS Storage Appliance Kit [Product ID 10026]
  • PeopleSoft Enterprise CRM Client Management [Product ID 4860]
  • PeopleSoft Enterprise CS Install [Product ID 9068]
  • PeopleSoft Enterprise FIN Install [Product ID 8925]
  • PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil [Product ID 8883]
  • PeopleSoft Enterprise HCM Human Resources [Product ID 5071]
  • PeopleSoft Enterprise PRTL Interaction Hub [Product ID 5090]
  • Policy Automation for Mobile Devices [Product ID 5626]
  • Portable ClusterWare [Product ID 5]
  • Private Cloud Appliance [Product ID 10635]
  • Rapid Planning [Product ID 5235]
  • Secure Global Desktop [Product ID 8539]
  • Sun StorageTek Tape Library ACSLS [Product ID 10088]
  • Tekelec Platform [Product ID 11269]
  • Transportation Management [Product ID 1991]
  • Universal Installer [Product ID 662]
 类似资料:

相关阅读

相关文章

相关问答