After part 1, where Oracle wrote in an official document there is no impact for your targets, Critical Patch Advisory April 2022 reveals multiple vulnerabilities, one of them is Log4J severity 9.8/10.
9.8 means it is kindergarden easy to compromise confidentiality, integrity and availability even without a login.
In the meanwhile, per 30. April, Oracle released 13.5 ru-6.
Don’t be fool, it is unsafe to assume the EM-Ru contains the EM-Cpu.
Yes, you have to apply the RU-5 or RU-6 to your OEM. Your repository database version must be certified too.
But also, even if you don’t use WLS, Coherence, FMW, FMW 3rd party, ADR, OWMS, OHS, OSS, OPSS, ADF, WebCenter, JDBC, OVD, JDK, SQL Developer, you have to patch each of those components in your OMS home with one or more separate patches.
Just to summarize, omspatcher applies 15 patches automatically, and later have to manually apply a dozen of one-off patches. Oracle Support told me:
As much as possible, Oracle tries to make Critical Patch Updates cumulative … Fixes for the other products that do not receive cumulative fixes are released as one-off patches.
Okay, once you are done, you can apply the RU-6 to your agents.
Here again, there are additional one-offs. For the central agent, patch the WLS. For all agents, apply the one-off for CVE-2022-21392.
I didn’t know this before researching for log4j issues. I won’t provide you the step here, because they may change over time. Just read the latest CPU very carefully.
Critical Patch Updates, Security Alerts and Bulletins (oracle.com)