Oracle Security Alert for CVE-2021-44228: Part Three

As promised, we are keeping client’s and readers abreast of changes in the Log4j issue, as Oracle makes continuing updates to patches/remediation for the issue.

It has come to my attention that there are 2 additional Log4j files in the EPM environment, though Oracle states they are unused, it’s better to remove the JndiLookup.class file from them, as a precautionary measure.

As before, you can open the .jar archive directly with a tool like 7-Zip, or rename it to a .zip and modify it that way.  Just remember to rename the file back to .jar when complete.

The locations of all three files, in the 11.2.x suite, are as follows:

• OHS: D:\Oracle\Middleware\ohs\oracle_common\modules\thirdparty\log4j-2.11.1.jar

• WebLogic: D:\Oracle\Middleware\oracle_common\modules\thirdparty\log4j-2.11.1.jar

• Common: D:\Oracle\Middleware\EPMSystem11R1\common\loggers\Log4j\1.2.14\lib\log4j-core-2.13.3.jar

For the two log4j-2.11.1.jar files, the path inside the .jar/.zip file to find and delete the JndiLookup.class file is:  org\apache\logging\log4j\core\lookup\

For the log4j-core-2.13.3.jar, the path inside the .jar/.zip file to find and delete the JndiLookup.class file is:  org\apache\logging\log4j\core\lookup\

The log4j-2.11.1.jar has a slightly different internal folder structure from the ‘core’ file, so while the above paths are identical, the look inside the .jar is different, so be aware when modifying the files.

You’ll still want to add the WebLogic Java_Option to block lookups anyway.  This is discussed in Part Two of the series, but you can:

• Navigate to D:\Oracle\Middleware\user_projects\epmsystem1\bin\DeploymentScripts and modify the JAVA_OPTIONS= line to include -Dlog4j2.formatMsgNoLookups=true. You should do this for each products startup file.

• You should also do this for the setDomainEnv.cmd/sh file in: D:\Oracle\Middleware\user_projects\domains\EPMSystem\bin

Oracle has a full Doc ID detailing these steps that can be found here.