My Oracle Support Banner

How to use Oracle Cloud Infrastructure Vulnerability Scanning Service to detect vulnerable Apache Log4j versions (Doc ID 2846469.1)

Last updated on MARCH 29, 2022

Applies to:

OCI Vulnerability Scanning Service
Information in this document applies to any platform.

Purpose

Oracle Cloud Infrastructure (OCI) Vulnerability Scanning Service (VSS) can scan OCI Compute instances—bare metal and virtual machines (VM)— and container images that are stored in Oracle Cloud Infrastructure Registry (OCIR). The purpose of this document is to demonstrate how to use VSS to help identify OCI Compute hosts and container images that contain the versions of Apache Log4j that are affected by either of the following vulnerabilities:

Please note that VSS does not determine whether these Log4j CVEs are exploitable in your instance. You should refer to the relevant security bulletins to assess whether the conditions of exploitability exist in your environment.

Scope

This document explains how to configure VSS to scan your OCI Compute instances (VMs and bare metal) and container images (stored in OCIR) to detect whether they contain the versions of Apache Log4j that are affected by either of these vulnerabilities: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, or CVE-2021-44832.

Details

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Purpose
Scope
Details

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.