CVE-2021-44228 - High Profile Vulnerability In Log4j Library OPLA 3.6.1 (Doc ID 2828282.1)

Last updated on APRIL 04, 2025

Applies to:

Oracle Product Lifecycle Analytics - Version 3.6.1 and later
Information in this document applies to any platform.

Symptoms

PROBLEM STATEMENT

CVE-2021-44228 - High Profile Vulnerability in Log4j library OPLA 3.6.1

Vulnerability CVE-2021-44228 – RCE in Apache Log4j
Impacted Versions 2.0 <= Apache Log4j < 2.17.0
Patch Availability This library needs to be upgrade to 2.17.0

Apache has released an official advisory containing patch details
https://logging.apache.org/log4j/2.x/security.html
Including -D log4j2.formatMsgNoLookups=true as part of your JVM build completely prevents exploitation.

STEPS

The issue can be reproduced at will with the following steps:
Installed FMW12.2.1.3.0 and ODI 12.2.1.3.0 as part of OPLA3.6.1 installation.
Security team has reported that high profile vulnerability CVE related to log4j (CVE-2021-44228 – RCE in Apache Log4j) .

Cause

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

CVE-2021-44228 - High Profile Vulnerability In Log4j Library OPLA 3.6.1 (Doc ID 2828282.1)

Applies to:

Symptoms

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!