Log4j issues allow a remote client to execute code without authentication.
Software vendors spent the last two months thinking of the impact and the mitigations.
If you have Enterprise Manager, you have multiple web services, like em itself (https://oms.example.com:7799/em), the weblogic console (https://oms.example.com:7102/console), the agent (https://dbsrv01.example.com:3872/emd/main/) and others. This makes you an easy victim.
If you care about security, you have restricted access to your management server to the outside world. The more network firewalls between Mr Bad and OEM, the better.
What is impacted?
DISCLAIMER: the stated here may no longer be accurate when read
Log4J version 2.0 to 2.16
Other Log4J (version 1.x and 2.17) when used with JMSAppender.
What is fixed?
There is a patch for WLS that upgrade 2.11 to 2.17
After applying 33727616, the version (but not the filename) is 2.17.0
$ unzip -p log4j-2.11.1.jar META-INF/MANIFEST.MF Manifest-Version: 1.0 Bundle-Description: The Apache Log4j Implementation Implementation-Title: Apache Log4j Bundle-SymbolicName: org.apache.logging.log4j Implementation-Version: 2.17.0 Archiver-Version: Plexus Archiver Specification-Vendor: The Apache Software Foundation Specification-Title: Apache Log4j Bundle-Vendor: The Apache Software Foundation Implementation-Vendor: The Apache Software Foundation Bundle-Version: 2.17.0 Created-By: Apache Maven 3.6.3 Build-Jdk: 1.8.0_291
This has to be done on the MWHOME and on the agent of OMS only (the central management agent).
For the regular agents installed on the database servers, the version is 1.2.17 and JMSAppender is present
$ unzip -p log4j-core.jar META-INF/MANIFEST.MF| tail -6 Name: org.apache.log4j Implementation-Vendor: "Apache Software Foundation" DynamicImport-Package: * Implementation-Title: log4j Implementation-Version: 1.2.17 $ unzip -l log4j-core.jar org/apache/log4j/net/JMSAppender.class Archive: log4j-core.jar Name ---- org/apache/log4j/net/JMSAppender.class 1 file