Oracle Security Alert Advisory – CVE-2021-44228/CVE-2021-45046

Last updated 17:00, 21st December 2021

On December 10th, Oracle released Security Alert CVE-2021-44228 in response to the disclosure of a new vulnerability affecting Apache Log4j prior to version 2.15.

Subsequently, the Apache Software Foundation released Apache version 2.16 which addresses an additional vulnerability (CVE-2021-45046). Mitigation instructions from Apache for these issues also evolved over time.

This document details the Oracle Products and Versions affected by CVE-2021-45046. This information generally supersedes the information previously published for vulnerability CVE-2021-44228.

Oracle Security Alert Advisory - CVE-2021-44228/CVE-2021-45046

Description

This Security Alert addresses CVE-2021-44228/45046, a remote code execution vulnerability in Apache Log4j. It is remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

My Oracle Support (MOS)

On investigation Xynomix have identified the following My Oracle Support information, which should be referenced to identify if this vulnerability impacts your wider systems.

Impact of December 2021 Apache Log4j Vulnerabilities on Oracle Products and Services 

(CVE-2021-44228, CVE-2021-45046) (Doc ID 2827611.1)

IMPORTANT: With effect from the 15th December 2021, Oracle have updated the original My Oracle Support note: 

The initial content for this note was limited to the impact of the Apache Log4j vulnerability CVE-2021-44228 on Oracle products, for releases and versions that are in Premier Support or Extended Support under the Oracle Lifetime Support Policy. This obsolete note is archived as MOS Note ID 2828594.1 and will no longer be updated.

Below is an overview of this document, to access the full document you must have an active support contract with Oracle.

Within the document, Oracle also provides a detailed list of the following: 

  1. Oracle products with patches or mitigation available
  2. Oracle products with patches pending 
  3. Oracle produces under investigation 
  4. Oracle products with impacted underlying components 
  5. Oracle products not requiring patches

Xynomix has produced this document in addition to the Oracle documentation, to assist our customers to understand this vulnerability and any impact against the Xynomix supported environments. 

It is important to note the following: 

  1. Product releases that are not under Premier Support or Extended Support are not tested for the presence of this vulnerability.
  2. Apache reported that CVE-2021-44228 applies only to Log4j versions 2.0-2.14.1, and does not apply to Log4j versions 1.x.

For reference please view Oracle Database release and support timelines.

Xynomix Review

Xynomix is currently investigating any products which we feel may affect our customer base, this is still a developing situation and Oracle are constantly updating the MOS note. Detailed below are products which may require patching, are being investigated, are awaiting a patch, or are confirmed as not affected as per the above document (2827611.1). 

Selected Oracle products with patches or mitigation available:

  • Automatic Service Request [Product ID 9042]
  • Autonomous Health Framework / Trace File Analyzer [Product ID 10655]
  • Oracle Data Integrator (ODI) [Product ID 2196]
  • Oracle E-Business Suite [Product ID 1745]
  • Oracle Enterprise Manager [Product ID 1370]
  • Oracle Fusion Middleware [Product ID 1032]
  • Oracle JDeveloper [Product ID 807]
  • Oracle Reports Developer [Product ID 159]
  • Oracle WebLogic Server [Product ID 5242] (NOTE: This was previously categorised as Not Exploitable, subject to configuration)
  • SQL Developer [Product ID 1875]

Selected Oracle products with patches pending:

  • No customer related products found in the list.

NOTE: The above Oracle products are vulnerable and do not currently have patches available for CVE-2021-44228/45046

Selected Oracle products under investigation:

  • No customer related products found in the list.

Selected Oracle products with impacted underlying Oracle components:

  • Oracle Forms [Product ID 45]
  • Oracle HTTP Server [Product ID 1042]

Selected Oracle products not requiring patches:

  • MySQL Server [Product ID 8478]
  • Oracle Application Express [Product ID 1348]
  • Oracle Client [Product ID 5]
  • Oracle Database (not exploitable) [Product ID 5]
  • Oracle Database Appliance [Product ID 9435]
  • Oracle Fail Safe [Product ID 843]
  • Oracle Integrated Lights Out Manager (ILOM) [Product ID 9849]
  • Oracle Java SE [Product ID 856]
  • Oracle Linux [Product ID 1309]
  • Oracle Secure Backup [Product ID 1522]
  • Oracle Solaris Operating System [Product ID 10006]
  • Oracle SPARC Server Firmware [Product ID 9846]
  • Oracle VM [Product ID 4455]
  • Oracle VM VirtualBox [Product ID 8370]
  • Oracle x86 Server Firmware [Product ID Multiple]
  • Universal Installer [Product ID 662]

IMPORTANT: Please note the information above is correct at the time of writing, and it is strongly recommended that the MOS note is reviewed in detail as other environments outside of Xynomix monitoring may be affected. 

Frequently Asked Questions

Please find listed below some of the commonly asked questions:

What is involved in patching my systems?

Oracle is releasing patches for each of their products, this will change the patch application process. So each product requiring patching may be different, and have a different impact on your business.

Is this covered under my Managed Service with Xynomix?

Security patching is considered as consultancy; and can be requested by the customer. Xynomix will provide a Statement Of Work for customer acceptance and sign-off.

What happens if I’m running an unsupported version of an Oracle product?

Xynomix recommends raising a Service Request (SR) with Oracle for any unlisted, or unsupported products you suspect as being affected.

What is the current patching position on Oracle cloud?

The official response from the My Oracle Support note is shown below: 

The Oracle cloud operations and security teams are evaluating all information related to CVE-2021-45046 and CVE-2021-44228. They are evaluating all relevant third-party fixes as they become available.

Note that patching and mitigation activities in these environments have been ongoing since the initial release of the Alert, and some customers may have already received notifications of mandatory maintenance (if the maintenance resulted in a noticeable impact such as service interruption).