Oracle Security Alert for CVE-2021-44228: Part Two
Well, the good news is Oracle is rapidly updating their patching of the various tools leveraging Apache Log4j. As such, the original list of products has been amended.
Presently Oracle Data Integrator has been updated with a fix. This involves 2 steps:
Removing the JndiLookup.class file from the log4j-core-2.1.3.3 file in the environment. This file can be found in EPM 11.2.x systems at:
D:\Oracle\Middleware\EPMSystem11R1\common\loggers
Make a copy of the original file (rename it to -ORIG, just in case)
Rename the log4j-core-2.13.3.jar to log4j-core-2.13.3.zip
Open this file with 7-Zip or your preferred Zip utility and navigate down to: C:\Oracle\Middleware\EPMSystem11R1\common\loggers\Log4j\1.2.14\lib\log4j-core-2.13.3.zip\org\apache\logging\log4j\core\lookup\
Delete JndiLookup.class
Close your .zip utility and rename your file back to log4j-core-2.13.3.jar
Navigate to D:\Oracle\Middleware\user_projects\epmsystem1\bin\DeploymentScripts and modify the JAVA_OPTIONS= line to include -Dlog4j2.formatMsgNoLookups=true.
The above should be done for each JVM in the environment, so it may need to be done in multiple files. I also recommend making the change in the setDomainEnv.cmd/sh file in: D:\Oracle\Middleware\user_projects\domains\EPMSystem\bin
Restart all services.
Oracle has determined that the following EPM Oracle products are vulnerable and do not have fixes available for CVE-2021-44228 yet.
· Hyperion Data Relationship Management [Product ID 4375]
· Hyperion Enterprise Performance Management Architect [Product ID 4392]
Lastly, Oracle has officially removed both Oracle HTTP Server and Oracle WebLogic Server from consideration. So we’re just waiting for official word on EPMA and DRM, but I expect the solution for those to be similar, based on current research. If you should need assistance with patching please let us know. I’ve taken the liberty of bolding and increasing the font on the EPM/Hyperion products of concern.