Log4J and Oracle Enterprise Manager

Log4j issues allow a remote client to execute code without authentication.

Software vendors spent the last two months thinking of the impact and the mitigations.

The bad:

If you have Enterprise Manager, you have multiple web services, like em itself (https://oms.example.com:7799/em), the weblogic console (https://oms.example.com:7102/console), the agent (https://dbsrv01.example.com:3872/emd/main/) and others. This makes you an easy victim.

The good:

If you care about security, you have restricted access to your management server to the outside world. The more network firewalls between Mr Bad and OEM, the better.

What is impacted?

DISCLAIMER: the stated here may no longer be accurate when read

Log4J version 2.0 to 2.16

Other Log4J (version 1.x and 2.17) when used with JMSAppender.

What is fixed?

There is a patch for WLS that upgrade 2.11 to 2.17

MWHOME/oms/oracle_common/modules/thirdparty/log4j-2.11.1.jar

AGENTHOME/oracle_common/modules/thirdparty/log4j-2.11.1.jar

After applying 33727616, the version (but not the filename) is 2.17.0

$ unzip -p log4j-2.11.1.jar META-INF/MANIFEST.MF
Manifest-Version: 1.0
Bundle-Description: The Apache Log4j Implementation
Implementation-Title: Apache Log4j
Bundle-SymbolicName: org.apache.logging.log4j
Implementation-Version: 2.17.0
Archiver-Version: Plexus Archiver
Specification-Vendor: The Apache Software Foundation
Specification-Title: Apache Log4j
Bundle-Vendor: The Apache Software Foundation
Implementation-Vendor: The Apache Software Foundation
Bundle-Version: 2.17.0
Created-By: Apache Maven 3.6.3
Build-Jdk: 1.8.0_291

This has to be done on the MWHOME and on the agent of OMS only (the central management agent).

For the regular agents installed on the database servers, the version is 1.2.17 and JMSAppender is present

$ unzip -p log4j-core.jar META-INF/MANIFEST.MF| tail -6

Name: org.apache.log4j

Implementation-Vendor: "Apache Software Foundation"

DynamicImport-Package: *

Implementation-Title: log4j

Implementation-Version: 1.2.17




$ unzip -l log4j-core.jar org/apache/log4j/net/JMSAppender.class

Archive:  log4j-core.jar

Name

----

org/apache/log4j/net/JMSAppender.class

1 file

In 2837257.1 Oracle mentions

All Agents impacted (Patch WIP)

No Mitigation Plan

There are multiple notes on log4j in Oracle Support. Main note 2828296.1 mentions : Apart from Central agent no other target agent is Impacted

Either you know about the issue, and you invest time and money in fixing it

Or you are not sure if you are affected and you state the unknown impact and you keep investigating

Or you know you are not using log4j at all and you safely assume that there is no impact.

But anything else is just dangerously misleading information