Update 5 – Highly Critical Zero-Day Vulnerability Java Library Log4j (CVE-2021-44228)
22th December 2021
We have had our partner merlin.zwo analyze the critical Log4j vulnerability in ORACLE installations. Regarding the current state of vulnerability in connection with typical database installations, we can summarize for the most common installations*:
(1) are not at risk according to the current status:
– The database itself. It does not use Log4j and is therefore not directly vulnerable.
– Weblogic server
– Forms server (based on Weblogic)
– Apex installations with Tomcat / ORDS, unless Log4j is explicitly enabled. We do not enable this on the systems we install.
– The Oracle Database Appliance (ODA)
(2) patches are currently created for:
– Oracle Enterprise Manager
– Oracle Golden Gate Studio
– Oracle Spatial and Graph
(3) patches are available for:
– Oracle JDeveloper
– Oracle Reports Developer
– SQL Developer
– SQL Data Modeler
Indirect compromise of the database:
We see a major potential threat in web servers that are located on the Internet and simultaneously have access to the database. These would be, for example, web stores, customer information systems or systems that can access the database via REST calls, for example. If one of these servers were to be “hijacked”, there is a possibility that access information to the database could be read out on this server. This would then directly compromise the database!
We normally have no overview of which other systems have access to your database(s). Therefore, please check all systems with access to your database to see if they are at risk.
The complete list of affected Oracle products and available patches can be found here: https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
We will hereby close this information channel regarding Log4j. If you have any further questions or need technical support, please feel free to contact our Costumer Center.
* VIVAVIS cannot assume liability for the abovementioned statements. The above statements are based on information received from the OEM manufacturers; despite utilizing best efforts to corroborate and validate said information, VIVAVIS cannot rule out that security issues might otherwise still exist.
Our RSS feed always keeps you up to date! This way, you’ll receive same-day notification when a new article has been posted to the IT Security Bulletin. Just enter the following link in your feed reader:
You can find out how to integrate the RSS feed into Outlook here.