In recent days, a notification was sent out to the public stating that a zero-day vulnerability (CVE-2021-44228) had been discovered in Apache log4j versions up to 2.14.1 and even 2.15.0. What is happening is that the JNDI features used in any of the configurations or parameters are not protective against attacks which can control log messages or parameters to run malicious code when message lookup substitution has been turned on. As a result, Apache is urging people to upgrade their Apache log4j versions to 2.16.0 (or later when newer versions come out in the future). More detailed information on this vulnerability may be found on Apache’s blog page here. Oracle has determined that many of its products have been affected by this vulnerability and is looking to provide patches and mitigations for affected products. One question which we have received from many customers in the past week is: does this impact Oracle WebLogic Server, Oracle Forms and Reports, and APEX?
The good news is that Oracle currently does not detect that Oracle Application Express (APEX) is affected by the vulnerability. As a result, no patches or mitigations will be created for APEX at this time. For current updates, please check into Doc ID 2827611.1 in case Oracle changes anything.
Oracle Forms and Reports
By default, Oracle WebLogic Server, the application server used for running Oracle Forms and Reports 12c, does NOT use the Apache log4j libraries. As a result, Oracle Forms and Reports is not affected by the vulnerability per se. However, it is possible to update the system CLASSPATH variable in Oracle WebLogic Server so that the Apache log4j libraries (log4j-2.11.1.jar in version 18.104.22.168.0 or log4j-1.2.17.jar in version 22.214.171.124.0) located in $ORACLE_HOME/oracle_common/modules/thirdparty are included. If this is done, then Oracle WebLogic Server as well as any Oracle Fusion Middleware product such as Oracle Forms and Reports, OHS, etc. are directly impacted by the CVE-2021-44228 vulnerability.
To see if you have the Apache log4j libraries in your system CLASSPATH for your WebLogic environment, you may check in $DOMAIN_HOME/servers/<SERVER_NAME>/logs/<SERVER_NAME>.out in the CLASSPATH value to see if either log4j-2.11.1.jar or log4j-1.2.17.jar are present. If these jar files are not present, you have the choice to either do nothing at all, implement a patch (see below), or implement a mitigation action (also see below). For all Oracle Forms and Reports 12c installations PITSS has performed, we do not add these jar files to the CLASSPATH variable, so the only way they would be in the CLASSPATH is if they were added without the guidance from PITSS. However, if these jar files are in your system CLASSPATH in your WebLogic logs, you will need to either apply the patch or the mitigation action as soon as possible as the vulnerability has been deemed critical.
Solution 1: Apply an Oracle Patch
Oracle has created a patch which upgrades the jar files to version 2.16.0. The patch may be downloaded from Oracle Support Doc ID 2827793.1. There is a patch available for Oracle WebLogic Server 126.96.36.199.0, 188.8.131.52.0, and 184.108.40.206.0 (the latter version is not applicable for Forms and Reports 12c), so please make sure that you are downloading and installing the correct version. If you are using an older Oracle Forms and Reports 12c version such as 220.127.116.11.0 or older, you will either need to implement Solution 2 or upgrade to Oracle Forms and Reports 18.104.22.168.0 or 22.214.171.124.0. When applying this patch, the following prerequisites must be completed:
- All WebLogic servers and components (OHS, standalone reports server, Node Manager) must be shut down in your ORACLE_HOME first before applying these patches
- Oracle Patch 33416868 for Oracle Forms and Reports 126.96.36.199.0 and 188.8.131.52.0 must be applied (it is Oracle Patch 33412599 for Oracle Forms and Reports 184.108.40.206.0)
- Oracle Patch 33286160 for Oracle Forms and Reports 220.127.116.11.0 and 18.104.22.168.0 must be applied (it is Oracle Patch 33286132 for Oracle Forms and Reports 22.214.171.124.0)
Solution 2: Apply a Mitigation Action
If you are unable to apply the patch or cannot shut down your WebLogic environment right now, another option which you can implement is to perform a mitigation action to remove the vulnerability from the log4j jar files. First, look in your server for any log4j*.jar files inside $ORACLE_HOME/oracle_common/modules/thirdparty. In UNIX, this can be done using “find /<PATH_TO_ORACLE_HOME> -name log4j*.jar”. Once you have found the jar file(s), you may run this command to remove the JndiLookup.class from the log4j*.jar files (this class has the vulnerability):
- Linux/UNIX: zip -q -d log4j*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- Windows: zip -d log4j-2.11.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
NOTE: For Windows environments, you must specify the specific name of the log4j jar file and do this for each log4j jar file individually.
This is a very new report, and new updates are possible to follow. As a result, things may change unexpectedly. Please follow Doc ID 2827611.1 in My Oracle Support for any new updates from Oracle on this vulnerability.