Oracle Security Alert for CVE-2021-44228: Part Four

To further the work of my colleague who has done a really good job of distilling all the log4j information coming from Oracle into a compact package focused on EPM, we have located and additional file which needs attention:

Financial Reporting: E:\oracle\Middleware\EPMSystem11R1\products\financialreporting\lib\log4j-core-2.3.jar

You will want to use 7zip to open the jar file and remove the jndiLookup.class in this file as well.

Jeff also noted updating the Java Options in several files to force java to not do lookups. Through some experimentation I recommend updating the windows services on the server that launch the Web Applications.  

For example, Foundations Services. Open regedit.exe and navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Hyperion Solutions\FoundationServices0\HyS9FoundationServices_Foundation

There is a key for “JVMOptionCount” open that and increase the decimal value by 1

Mine was “38” so I made it “39”

Then right click “FoundationServices0″>New String Value

Give the key the a name JVMOption39 – In the step above my new value was 39, give your key the JVMOptionNN name that matches your new value.

And give the “Value Data” field the new JVM argument “-Dlog4j2.formatMsgNoLookups=true”. Keep in mind that is a “-D” dash D. That’s important.

Repeat this for each Web Application across all servers.

Oracle has a full Doc ID detailing these steps that can be found here.