Critical vulnerabilities detected in Apache log4j2.x.jar used in OracleDB 19.10 (and 19.3) binaries

[mukul-tyagi]

Here are the detailed log by running log4shell: 10:19AM INF identified vulnerable path cve: CVE-2021-44228 fileName: org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class path: /opt/oracle/product/19c/dbhome_1/32218454/files/md/property_graph/lib/log4j-core-2.11.0.jar severity: 10.0 versionInfo: "log4j 2.12.0-2.12.1" 10:19AM INF identified vulnerable path cve: CVE-2021-44228 fileName: org/apache/logging/log4j/core/net/JndiManager$1.class path: /opt/oracle/product/19c/dbhome_1/32218454/files/md/property_graph/lib/log4j-core-2.11.0.jar severity: 10.0 versionInfo: "log4j 2.8.2-2.12.0" 10:19AM INF identified vulnerable path cve: CVE-2021-44228 fileName: org/apache/logging/log4j/core/net/JndiManager.class path: /opt/oracle/product/19c/dbhome_1/32218454/files/md/property_graph/lib/log4j-core-2.11.0.jar severity: 10.0 versionInfo: "log4j 2.12.0-2.12.1" 10:19AM INF identified vulnerable path cve: CVE-2021-44228 fileName: org/apache/logging/log4j/core/pattern/MessagePatternConverter.class path: /opt/oracle/product/19c/dbhome_1/32218454/files/md/property_graph/lib/log4j-core-2.11.0.jar severity: 10.0 versionInfo: "log4j 2.12" 10:19AM INF identified vulnerable path cve: CVE-2021-44228 fileName: org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class path: /opt/oracle/product/19c/dbhome_1/32218454/files/md/property_graph/pgx/server/pgx-webapp-3.2.0.war::WEB-INF/lib/log4j-core-2.11.0.jar severity: 10.0 versionInfo: "log4j 2.12.0-2.12.1" 10:19AM INF identified vulnerable path cve: CVE-2021-44228 fileName: org/apache/logging/log4j/core/net/JndiManager$1.class path: /opt/oracle/product/19c/dbhome_1/32218454/files/md/property_graph/pgx/server/pgx-webapp-3.2.0.war::WEB-INF/lib/log4j-core-2.11.0.jar severity: 10.0 versionInfo: "log4j 2.8.2-2.12.0" 10:19AM INF identified vulnerable path cve: CVE-2021-44228 fileName: org/apache/logging/log4j/core/net/JndiManager.class path: /opt/oracle/product/19c/dbhome_1/32218454/files/md/property_graph/pgx/server/pgx-webapp-3.2.0.war::WEB-INF/lib/log4j-core-2.11.0.jar severity: 10.0 versionInfo: "log4j 2.12.0-2.12.1" 10:19AM INF identified vulnerable path cve: CVE-2021-44228 fileName: org/apache/logging/log4j/core/pattern/MessagePatternConverter.class path: /opt/oracle/product/19c/dbhome_1/32218454/files/md/property_graph/pgx/server/pgx-webapp-3.2.0.war::WEB-INF/lib/log4j-core-2.11.0.jar severity: 10.0 versionInfo: "log4j 2.12" 10:19AM WRN unable to open archive error="zip: not a valid zip file" path: /opt/oracle/product/19c/dbhome_1/javavm/lib/jce.jar 10:19AM WRN unable to open archive error="zip: not a valid zip file" path: /opt/oracle/product/19c/dbhome_1/javavm/lib/sunjce_provider.jar 10:19AM WRN unable to access file error="lstat /proc/6/fd/3: no such file or directory" path: /proc/6/fd/3 10:19AM WRN unable to access file error="lstat /proc/6/fdinfo/3: no such file or directory" path: /proc/6/fdinfo/3 10:19AM WRN unable to access file error="lstat /proc/6/task/10/fd/3: no such file or directory" path: /proc/6/task/10/fd/3 10:19AM WRN unable to access file error="lstat /proc/6/task/10/fdinfo/3: no such file or directory" path: /proc/6/task/10/fdinfo/3 10:19AM WRN unable to access file error="lstat /proc/6/task/11/fd/3: no such file or directory" path: /proc/6/task/11/fd/3 10:19AM WRN unable to access file error="lstat /proc/6/task/11/fdinfo/3: no such file or directory" path: /proc/6/task/11/fdinfo/3 10:19AM WRN unable to access file error="lstat /proc/6/task/12/fd/3: no such file or directory" path: /proc/6/task/12/fd/3 10:19AM WRN unable to access file error="lstat /proc/6/task/12/fdinfo/3: no such file or directory" path: /proc/6/task/12/fdinfo/3 10:19AM WRN unable to access file error="lstat /proc/6/task/13/fd/3: no such file or directory" path: /proc/6/task/13/fd/3 10:19AM WRN unable to access file error="lstat /proc/6/task/13/fdinfo/3: no such file or directory" path: /proc/6/task/13/fdinfo/3 10:19AM WRN unable to access file error="lstat /proc/6/task/14/fd/3: no such file or directory" path: /proc/6/task/14/fd/3 10:19AM WRN unable to access file error="lstat /proc/6/task/14/fdinfo/3: no such file or directory" path: /proc/6/task/14/fdinfo/3 10:19AM WRN unable to access file error="lstat /proc/6/task/15/fd/3: no such file or directory" path: /proc/6/task/15/fd/3 10:19AM WRN unable to access file error="lstat /proc/6/task/15/fdinfo/3: no such file or directory" path: /proc/6/task/15/fdinfo/3 10:19AM WRN unable to access file error="lstat /proc/6/task/16/fd/3: no such file or directory" path: /proc/6/task/16/fd/3 10:19AM WRN unable to access file error="lstat /proc/6/task/16/fdinfo/3: no such file or directory" path: /proc/6/task/16/fdinfo/3 10:19AM WRN unable to access file error="lstat /proc/6/task/17/fd/3: no such file or directory" path: /proc/6/task/17/fd/3 10:19AM WRN unable to access file error="lstat /proc/6/task/17/fdinfo/3: no such file or directory" path: /proc/6/task/17/fdinfo/3 10:19AM WRN unable to access file error="lstat /proc/6/task/6/fd/3: no such file or directory" path: /proc/6/task/6/fd/3 10:19AM WRN unable to access file error="lstat /proc/6/task/6/fdinfo/3: no such file or directory" path: /proc/6/task/6/fdinfo/3 10:19AM WRN unable to access file error="lstat /proc/6/task/7/fd/3: no such file or directory" path: /proc/6/task/7/fd/3 10:19AM WRN unable to access file error="lstat /proc/6/task/7/fdinfo/3: no such file or directory" path: /proc/6/task/7/fdinfo/3 10:19AM WRN unable to access file error="lstat /proc/6/task/8/fd/3: no such file or directory" path: /proc/6/task/8/fd/3 10:19AM WRN unable to access file error="lstat /proc/6/task/8/fdinfo/3: no such file or directory" path: /proc/6/task/8/fdinfo/3 10:19AM WRN unable to access file error="lstat /proc/6/task/9/fd/3: no such file or directory" path: /proc/6/task/9/fd/3 10:19AM WRN unable to access file error="lstat /proc/6/task/9/fdinfo/3: no such file or directory" path: /proc/6/task/9/fdinfo/3

CVE-2021-44228 also known as Log4Shell is a code interpretation vulnerability impacting Log4J. Log4j is a popular Java logging library used by many projects. This vulnerability is caused by an Improper Input Validation (CWE-20), Uncontrolled Resource Consumption (CWE-400) and Deserialization of Untrusted Data (CWE-502). This flaw is exploitable (for example) by using Java Naming and Directory Interface (JNDI), a java API use to connect to directory interfaces like LDAP. This vulnerability is exploitable because of log messages that could be executed. Remote authenticated attackers who can control log messages or log message parameters can execute arbitrary code loaded from attacker servers when message lookup substitution is enabled. This lookup will make possible to download a payload. The payload could contain remote Java class, executed by the server, will enable arbitrary code execution. The impact on confidentiality, integrity, and availability is rated as High. The attack complexity is considered as low.

Please update this log4j-core-2.11.0.jar in the binaries. Please refer to this link while updating the binaries for log4j.

[yunus-qureshi]

@mukul-tyagi please refer this MOS note:

Oracle Database and Apache log4j vulnerability CVE-2021-44228 (Doc ID 2828877.1)

DB is not affected by this vulnerability

[mukul-tyagi]

@yunus-qureshi thanks for the reply , we have some queries then :-

• doc id link is not opening for us (we do not have access)
• The first link tells about update from 2.11 to 2.16, so Is oracle binary safe without this update also? as we will not be able to do the update on our side.

[mdige]

@yunus-qureshi I can't access the doc ID link above either. We are using the docker image oracle/database:12.1.0.2-ee where we can see that this file /opt/oracle/product/12.1.0.2/dbhome_1/oui/jlib/jlib/log4j-core.jar is part of the image. Is this file not affected by CVE-2021-44228? If so any chance a patch or updated version of either 12.1.0.2 or 12.2.0.2 will be available?

Thanks in advance