Oracle Security Alert for CVE-2021-44228: Part Two

  • Date: December 13, 2021
  • Article by: Jeff Henkel

Well, the good news is Oracle is rapidly updating their patching of the various tools leveraging Apache Log4j.  As such, the original list of products has been amended.

Presently Oracle Data Integrator has been updated with a fix.  This involves 2 steps:

  • Removing the JndiLookup.class file from the log4j-core-2.1.3.3 file in the environment.  This file can be found in EPM 11.2.x systems at:  
    • D:\Oracle\Middleware\EPMSystem11R1\common\loggers
    • Make a copy of the original file (rename it to -ORIG, just in case)
    • Rename the log4j-core-2.13.3.jar to log4j-core-2.13.3.zip
    • Open this file with 7-Zip or your preferred Zip utility and navigate down to:  C:\Oracle\Middleware\EPMSystem11R1\common\loggers\Log4j\1.2.14\lib\log4j-core-2.13.3.zip\org\apache\logging\log4j\core\lookup\
    • Delete JndiLookup.class
    • Close your .zip utility and rename your file back to log4j-core-2.13.3.jar
  • Navigate to D:\Oracle\Middleware\user_projects\epmsystem1\bin\DeploymentScripts and modify the JAVA_OPTIONS= line to include -Dlog4j2.formatMsgNoLookups=true.
    • The above should be done for each JVM in the environment, so it may need to be done in multiple files.  I also recommend making the change in the setDomainEnv.cmd/sh file in:  D:\Oracle\Middleware\user_projects\domains\EPMSystem\bin
  • Restart all services.

Oracle has determined that the following EPM Oracle products are vulnerable and do not have fixes available for CVE-2021-44228 yet.

·    Hyperion Data Relationship Management [Product ID 4375]

·    Hyperion Enterprise Performance Management Architect [Product ID 4392]

Lastly, Oracle has officially removed both Oracle HTTP Server and Oracle WebLogic Server from consideration.  So we’re just waiting for official word on EPMA and DRM, but I expect the solution for those to be similar, based on current research.  If you should need assistance with patching please let us know.  I’ve taken the liberty of bolding and increasing the font on the EPM/Hyperion products of concern.

Share me

Oracle Security Alert for CVE-2021-44228: Part Four

  • Date: Dec 16, 2021
  • Article by: Mike Turner
Read More

Oracle Security Alert for CVE-2021-44228: Part Three

  • Date: Dec 15, 2021
  • Article by: Jeff Henkel
Read More

Leave a Reply

Your email address will not be published. Required fields are marked *