My Oracle Support Banner

CVE-2021-44832 Still Found Under Agile Server Cache Folder After Applying Patch in Doc ID:2827700.1 (Doc ID 2863114.1)

Last updated on JANUARY 24, 2024

Applies to:

Oracle Agile PLM Framework - Version 9.3.6.0 and later
Information in this document applies to any platform.

Symptoms

Actual Behavior

CVE-2021-44832 still found under Agile server cache folder after applying patch explained in Doc ID 2827700.1

Even after applying either of below patches explained in Doc ID 2827700.1, vulnerabilities are still detected in the Agile server cache path below:

%Agile_Home%/agileDomain/servers/{server_name}-Agile/tmp/_WL_user/AgilePLM/9phs2m/APP-INF/lib/log4j-core-2.17.0.jar

On every restart, this Agile server cache folder %Agile_Home%/agileDomain/servers/ contents are removed, but still been detected with older version.


Expected Behavior

CVE-2021-44832 not to be found in Agile installation

Steps

The issue can be reproduced at will with the following steps:

  1. Apply patch as explained in Doc ID 2827700.1
  2. Confirm patch installation completes successfully with "BUILD SUCCESSFUL" in install log: 9.3.6.xx.xx_Install.log
  3. Delete Agile server cache folder:
    %Agile_Home%/agileDomain/servers/{server_name}-Agile
  4. Restart Agile Application Server
  5. See log4j-core-2.17.0.jar which includes CVE-2021-44832 is found under
    %Agile_Home%/agileDomain/servers/{server_name}-Agile/tmp/_WL_user/AgilePLM/xxxxxxx/APP-INF/lib/log4j-core-2.17.0.jar

Changes

<Patch:33699861> was applied in the Agile Application Server, and then applied the patches explained in Doc ID 2827700.1

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.