My Oracle Support Banner

Security Alert CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 Mitigation for OEMM (Doc ID 2828359.1)

Last updated on MARCH 14, 2023

Applies to:

Oracle Enterprise Metadata Management - Version 12.2.1.2 to 12.2.1.4
Information in this document applies to any platform.
Only OEMM versions with a build date of 2021-12-10 or newer will be supported.

Purpose

This document provides mitigation steps to alleviate the impact associated with CVE-2021-44228 on Oracle Enterprise Metadata Management (OEMM). Refer to Apache Log4j 2 vulnerability described in Security Alerts CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 for more details.

OEMM is not and has never been affected by this vulnerability (by design because of our usage of Log4J).  Any use of the Log4J has always been disabled in OEMM.

Nonetheless many desire a fix instead of the disclaimer, therefore OEMM has been upgraded to use and bundle Apache Log4J to the latest version, 2.17.0, fixing CVE-2021-22448, CVE-2021-45046 and CVE-2021-45105.

OEMM releases impacted are covered.

Details

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.