Impact of December 2021 Apache Log4j Vulnerabilities on Oracle cloud environments (CVE-2021-44228, CVE-2021-45046)
(Doc ID 2830129.1)
Last updated on FEBRUARY 07, 2022
Applies to:Oracle Fusion Financials Common Module Cloud Service - Version 220.127.116.11.0 to 18.104.22.168.0 [Release 1.0]
Information in this document applies to any platform.
On December 10th, Oracle released Security Alert CVE-2021-44228 in response to the disclosure of a new vulnerability affecting Apache Log4j prior to version 2.15.
Subsequently, the Apache Software Foundation released Apache version 2.16 which addresses an additional vulnerability (CVE-2021-45046). Mitigation instructions from Apache for these issues also evolved over time.
The Oracle cloud operations and security teams continue to evaluate all information related to CVE-2021-45046 and CVE-2021-44228.
This document provides information about the remedial status of Oracle cloud environments in response to vulnerabilities CVE-2021-44228 AND CVE-2021-45046 (e.g., Oracle Applications, Oracle NetSuite, Oracle Cloud Infrastructure, Oracle Industry Clouds, etc.).
Note that remediation activities in these cloud environments have been ongoing since the initial release of the Alert, and some customers may have already received notifications of mandatory maintenance (if the maintenance resulted in a noticeable impact such as service interruption).
For information about Oracle on-premises products, customers should refer to “Impact of December 2021 Apache Log4j Vulnerabilities on Oracle on-premises products (CVE-2021-44228, CVE-2021-45046)” (MOS Note ID 2830143.1).
If you do not find information about a given product in this MOS Note, you should look in the other MOS Note.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!