ORMB – Log4j Shell Vulnerability Remediation

Log4j Shell Vulnerability

Log4Shell is a new “Zero Day Vulnerability” in Apache Log4j 2, a popular open-source popular Java library owned by Apache Software foundation and used for logging error messages in applications including ORMB and supported platforms. The vulnerability, published as CVE-2021-44228, impacts all Apache log4j2 versions from 2.0 to 2.15.0 and enables an attacker to easy-to-exploit remote code execution (RCE) via insertion of text into log messages that load the code from a remote server. It impacts only to log4j-core libraries.

Apache Software Foundation has issued the following four Apache Log4j2 versions as security fixes till date for Log4j2 vulnerability till date – CVE-2021-44228 (Apache Log4j2 v2.15), CVE-2021-45046 (Apache Log4j2 v2.16) ,CVE-2021-45105 (Apache Log4j2 v2.17) and CVE-2021-44832 (Apache Log4j2 v2.17.1).

The vulnerability has been assigned a Common Vulnerability Scoring System (CVSS) base score of 10 out of 10 for CVE-2021-44228, the highest-level severity score, because of underlying vulnerability potential and the ease of exploitation by malicious attackers for the same.CVE-2021-45046 has a CVSS base score of 9,CVE-2021-45105 has CVSS base score of 5.3 and CVE-2021-44832 has CVSS base score of 6.6.

Oracle Security Advisory for CVE-2021-44228

Oracle released a Security Alert Advisory for CVE-2021-44228 in response to Log4j Shell vulnerability and all Oracle products using the log4j impacted libraries.

Oracle’s recommendation is to follow the “best practices” as mentioned below and apply the fixes for all Oracle Revenue Management and Billing (ORMB) instances across all environments for both ORMB and “supported platforms” i.e. application server, Database server and Oracle VM as applicable.

Oracle Recommended “Best Practice

Oracle recommends that Oracle SW stack versions for both ORMB and supported platforms should be “actively-supported” i.e. on products versions “Premier Support” or “Extended Support” under the Oracle Lifetime Support Policy with latest “Critical Patch Update (CPU)” security patches. Critical Patch Updates are be released on quarterly basis on the third Tuesday of January, April, July, and October.

Below are the ORMB versions currently under Premier Support (Extended Support is not applicable)

As per Error Correction Support Dates for Oracle Fusion Middleware 12c (Doc ID 1933372.1),the WebLogic versions current under  support are 12.2.1.3 and 12.2.1.4 .

As per Release Schedule of Current Database Releases (Doc ID 742060.1),the recommended current DB version with Long Term Release (LTS) is 19c.

ORMB and Supported Platforms Log4j Patches for On-Prem and Cloud Instances

Oracle customers need to refer to base MOS article for Log4j2 patches for all Oracle products including ORMB and supported platforms : “Impact of December 2021 Apache Log4j Vulnerabilities on Oracle Products and Services (CVE-2021-44228, CVE-2021-45046)” (Doc ID 2827611.1) for up-to-date information.

This note is divided in separate sections for Oracle cloud and on-premise environments:

  • Applicability of Log4j vulnerabilities to Oracle Cloud environments: This section provides information about the remedial status of all Oracle cloud environments (Doc ID 2830129.1)
    • ORMB SaaS – “Oracle Cloud for Industries – Revenue Management and Billing Cloud Service” – Oracle has completed the remedial actions for affected Apache log4j components in alignment with CISA’s Emergency Directive 22-02 across the ORMB Cloud environment.
    • ORMB IaaS components – Oracle has completed the remedial actions for all of the impacted OCI IaaS services, few major ones from ORMB perspective are listed below –
      • Compute (Bare Metal Servers, Virtual Machines, VMware)
      • Storage (Archive Storage, Block Volumes, Data Transfer Service, File Storage, Object Storage)
      • Networking (DNS Management, Load Balancers)
      • Databases (Exadata Cloud@Customer ,Exadata Database Service, Autonomous Database)

Note – For customer-managed cloud environments including IaaS deployment model hosting ORMB instances, Oracle has published relevant technical documentation via “How to use Oracle Cloud Infrastructure (OCI) Vulnerability Scanning Service (VSS) to detect vulnerable Apache Log4j versions (Doc ID 2846469.1)”.

In a nutshell, OCI VSS scans OCI Compute instances (both Bare Metal and Virtual Machines (VM)) and Container Images that are stored in Oracle Cloud Infrastructure Registry (OCIR) that contain the versions of Apache Log4j that are affected by either of the following vulnerabilities:CVE-2021-44228,CVE-2021-45046,CVE-2021-45105 or CVE-2021-44832.

  • Applicability of Log4j to Oracle on-premises products: This section provides information about the availability of patches for ORMB and supported platforms for on-premises instances (including traditionally licensed products and cloud on-premises components) (Doc ID 2830143.1)
    • ORMB Impacted Versions – 2.7.0, 2.9.0, 3.0.0, 3.1.0
      • Patch availability Reference document – Doc ID 2829258.1
      • Note – ORMB Analytics is not impacted by this vulnerability
    • Oracle Utilities Application Framework (OUAF) Impacted Versions – 4.3.0.1.0 to 4.3.0.1.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
    • Oracle WebLogic Impacted Versions – – 12.2.1.3, 12.2.1.4
    • Oracle DB Impacted Versions –  Oracle Databases with the October 2020 or later critical patch update are evaluated as not vulnerable to CVE-2021-44228 or CVE-2021-45046
      • Patch availability Reference document – Doc ID 2828877.1
      • For installations using Trace File Analyzer, it is recommended to upgrade to version 21.3.4 or higher (Doc ID 2550798.1).

Reference Articles

Author Details

Vivek Raaj

Vivek is part of the Oracle Revenue Management and Billing (ORMB) Practice at Infosys with extensive experience of multiple greenfield and brownfield implementation programs, as Infrastructure & Administration track lead, for ORMB and integrated ERP and products in both on-prem and Oracle cloud landscape.

Leave a Comment

Your email address will not be published.