Log4J Security Alert CVE-2021-44228 / CVE-2021-45046 Patch Availability Document for Oracle WebLogic Server and Fusion Middleware
(Doc ID 2827793.1)
Last updated on APRIL 11, 2024
Applies to:
Oracle WebLogic Server - Version 12.2.1.3.0 to 14.1.1.0.0 [Release 12c to 14c]Oracle Fusion Middleware - Version 12.2.1.3.0 to 12.2.1.4.0 [Release 12c]
Information in this document applies to any platform.
- Applies to any product installed with the FMW Infrastructure
- Applies to OHS, OID, and OUD standalone homes
Purpose
In response to Security Alert CVE-2021-44228, Oracle has released patches for Oracle Middleware products This document provides information on how to obtain and apply these security updates. Please note that these patches address vulnerabilities CVE-2021-44228 and CVE-2021-45046. A separate vulnerability, CVE-2021-45105, was also fixed with the patch listed below.
Please note that the Apache Software Foundation has published a number of mitigation steps in response to the Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046. These temporary mitigation steps for CVE-2021-44228 and CVE-2021-45046 are provided below for situations where the patch cannot be immediately applied. However, these mitigation steps do not address vulnerability CVE-2021-45105.
Oracle recommends that you apply the necessary patches as soon as possible to permanently address these vulnerabilities.
Last Update Date: 07/19/2022 06:30 pm ET (minor clarifications)
- To be notified when this document changes: Mark this article as a Favorite, and follow the instructions for Email Notification in Doc ID 793436.2.
Update for 04/19/2022 and later:
For the latest CUMULATIVE Critical Patch Update, see the following:
- Doc ID 2806740.2 Critical Patch Update (CPU) Patch Advisor for Oracle Fusion Middleware
- Log4j fixes were previously separate patches - now the fixes are included directly with the latest WLS PSU (and other product patches, as applicable).
- Popular inquires are answered in the FAQ / Known Issues and Doc ID 2847142.1, General impact of Apache Log4j vulnerabilities on Oracle Products and Services.
Scope
This document applies to:
- Oracle WebLogic Server 14.1.1, 12.2.1.4, and 12.2.1.3
- Oracle Fusion Middleware 12.2.1.4 and 12.2.1.3 products installed with the FMW Infrastructure.
- Standalone homes such as Oracle HTTP Server, Oracle Internet Directory, and Oracle Unified Directory have WebLogic Server components installed, including Log4J.
In earlier versions, (12.1.x, 11.1.x, 10.3.x) the Apache Log4j library included was version 1, which is not reported as having these vulnerabilities.
- Review the following to determine the impact for all Oracle products, which may have installed or use different Log4j jar files:
Doc ID 2827611.1 Impact of December 2021 Apache Log4j Vulnerabilities on Oracle Products and Services (CVE-2021-44228, CVE-2021-45046)
Details
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Purpose |
| Scope |
| Details |
| WebLogic Server Installed Log4j Files |
| Patch Availability for Oracle WebLogic Server and Oracle Fusion Middleware |
| Mitigation Plan |
| FAQ / Known Issues |
| References |