• Latest Updates

    Post Top Ad

    10 January, 2022

    Home WebLogic WebLogic Log4j Vulnerability Security

    WebLogic Log4j Vulnerability Security

    WebLogic Log4j vulnerability Security

    In response to Security Alert CVE-2021-44228, Oracle has released patches for Oracle Middleware products.

     




    Products Apply to:

    Oracle WebLogic Server - Version 12.2.1.3.0 to 14.1.1.0.0

    Oracle Fusion Middleware - Version 12.2.1.3.0 to 12.2.1.4.0

    Information in this document applies to any platform.

    - Applies to any product installed with the FMW Infrastructure

    - Applies to OHS, OID, and OUD standalone homes

     

    WebLogic Server Installed Log4j Files

    WebLogic uses log4j.jar or log4j_2.11.1.0.0 version 2.

    Location to find the jar file –

    $ORACLE_HOME/ oracle_common/modules/thirdparty/features

     



    Oracle Recommendation: 

     

    Apply the Oracle WebLogic Server patch to upgrade the Apache Log4j version 2 libraries.

     

    Security Alert CVE-2021-44228 / CVE-2021-45046 Patch Availability Document for Oracle WebLogic Server and Fusion Middleware (Doc ID 2827793.1)

    Pre-Requisites:

    a. Take oracle home backup

    b. Take OPatch backup

    c. Take deployments and other required file backup


    Apply these patches in sequence:

     

    In this example, we are applying patches for Oracle WebLogic version 12.2.1.4

     1.   OPatch Version

    Upgrade the OPatch version to the latest 13.9.4.2.7

     

    Download the Patch p28186730_139427_Generic.zip

    Unzip the patch

    export ORACLE_HOME=/u01/app/oracle/product/12.2.1.4/Middleware/Oracle_Home

    export JAVA_HOME=/u01/app/oracle/jdk1.8.0_311

    export PATH=$JAVA_HOME/bin:$PATH

     

    cd 6880880

    [oracle@WLS-RHEL8 6880880]$ java -jar opatch_generic.jar





     















     Check opatch version


     


     

     2.   Apply coherence patch  33286160 

    This patch is the pre-requisite patch, and this is recommended to apply this patch otherwise node manager will not start properly.

     

    [oracle@WLS-RHEL8 33416868]$ ls

    etc  files  README.html  README.txt

    [oracle@WLS-RHEL8 33416868]$ opatch apply

    Oracle Interim Patch Installer version 13.9.4.2.7

    Copyright (c) 2022, Oracle Corporation.  All rights reserved.

     

     

    Oracle Home       : /u01/app/oracle/product/12.2.1.4/Middleware/

    Patching component oracle.wls.core.app.server, 12.2.1.4.0...

    Patch 33416868 was successfully applied.

    Log file location: /u01/app/oracle/product/12.2.1.4/Middleware/Oracle_Home/cfgtoollogs/opatch/opatch2022-01-05_05-06-05AM_1.log

     

    OPatch succeeded.

     

     3.    Apply WLS PATCH SET UPDATE 12.2.1.4.210930 (Patch 33416868)

     

    oracle@WLS-RHEL8 33416868]$ ls

    etc  files  README.html  README.txt

    [oracle@WLS-RHEL8 33416868]$ opatch apply

    Oracle Interim Patch Installer version 13.9.4.2.7

    Copyright (c) 2022, Oracle Corporation.  All rights reserved.

     

     

    Oracle Home       : /u01/app/oracle/product/12.2.1.4/Middleware/

    Patching component oracle.wls.core.app.server, 12.2.1.4.0...

    Patch 33416868 was successfully applied.

    Log file location: /u01/app/oracle/product/12.2.1.4/Middleware/Oracle_Home/cfgtoollogs/opatch/opatch2022-01-05_05-06-05AM_1.log

     

    OPatch succeeded.

     

     

     

     4.   WLS OVERLAY PATCH FOR 12.2.1.4.0 OCT 2021 PSU (Patch 33691226) for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105

     

     

    oracle@WLS-RHEL8 software]$ cd 33691226/

    [oracle@WLS-RHEL8 33691226]$ ls

    etc  files  README.txt

    [oracle@WLS-RHEL8 33691226]$ opatch apply

     

    Patching component oracle.log4j.log4j, 2.11.1.0.0...

    Patch 33691226 successfully applied.

    Log file location: /u01/app/oracle/product/12.2.1.4/Middleware/Oracle_Home/cfgtoollogs/opatch/opatch2022-01-05_05-13-21AM_1.log

     

    OPatch succeeded.

     

    5.   Confirm the opatches

    ./opatch lspatches

     




        Confirmation of Vulnerability Patch:
        
    cd $ORACLE_HOME/oracle_common/modules/thirdparty/features/log4j.jar     
        unzip -p log4j*.jar META-INF/MANIFEST.MF




    Security Warning

    Post the security patches WebLogic console will show various security warnings
    Click on the link and remediate one by one.



         Oracle Metalink Document:

          Security Alert CVE-2021-44228 / CVE-2021-45046 Patch Availability Document for Oracle WebLogic Server and Fusion Middleware (Doc ID 2827793.1)

          Impact of December 2021 Apache Log4j Vulnerabilities on Oracle Products and Services (CVE-2021-44228, CVE-2021-45046) (Doc ID 2827611.1)


    Tags
    Share This
    Author Image

    About Piyush Prakash

    By at
    Tags:
    Subscribe to: Post Comments (Atom)

    Post Top Ad

    Your Ad Spot

    Pages

    About Me

    Effective Oracle Application Database Administrator (on premise and ExaCS) with proven experience in Oracle E-business Suite (11i, 12.1.3, 12.2), Oracle Database(11g, 12c, 19c), Database Security, Oracle Database Performance, VCP Demantra, Solix, Endeca, WebLogic, JDE and Peoplesoft. Currently, designated as Cloud Specialist for Cloud Transformation related to Oracle PaaS for SaaS Clients projects involving Oracle PaaS Services like ADW/ATP, OIC, VBCS, OIC SFTP, OAC, etc. along with SaaS connectivity and DR support. Cloud Deployment Models, IAM, S3, EC2, VPC, SNS, Security Groups, Subnets, VPC Peering, Tags, Amazon Glacier, S3 Bucket Replication, AWS GuardDuty, AWS CLI, Alarm, Auto Scaling, SQS, Snapshots, CRR, Inbound and Outbound Rules, SSH Key Managements, Load Balancer, Health Check of EC2, Versioning, Password Policy, File Systems.

    Send Quick Message

    Name

    Email *

    Message *