My Oracle Support Banner

Impact of December 2021 Apache Log4j Vulnerabilities on Oracle Products and Services (CVE-2021-44228, CVE-2021-45046) (Doc ID 2827611.1)

Last updated on JULY 10, 2022

Applies to:

Oracle CRM On Demand
Enterprise Manager Ops Center - Version 12.4.0 to 12.4.0 [Release 12.0]
Oracle WebCenter Portal - Version to
Oracle Cloud Infrastructure - Database Service
Business Intelligence Server Enterprise Edition - Version to [Release 12g]
Information in this document applies to any platform.


On December 10th, Oracle released Security Alert CVE-2021-44228 in response to the disclosure of a new vulnerability affecting Apache Log4j prior to version 2.15. 

Subsequently, the Apache Software Foundation released Apache version 2.16 which addresses an additional vulnerability (CVE-2021-45046). Mitigation instructions from Apache for these issues also evolved over time.

This document details the Oracle Products and Versions affected by CVE-2021-45046 and CVE-2021-44228.  This information supersedes the information previously published solely for vulnerability CVE-2021-44228 and archived as MOS Note 2828594.1.

Note: A number of additional vulnerabilities affecting various versions of Apache Log4J were disclosed after the publication of CVE-2021-45046 and CVE-2021-44228.  For more information about these vulnerabilities, see “General impact of Apache Log4j vulnerabilities on Oracle Products and Services” MOS Note 2847142.1.



This document applies to all Oracle products and Oracle cloud services.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.