My Oracle Support Banner

Oracle Cloud Infrastructure Web Application Firewall and Apache Log4j vulnerabilities (Doc ID 2847489.1)

Last updated on APRIL 01, 2022

Applies to:

Oracle Cloud Infrastructure Web Application Firewall - Version N/A and later
Information in this document applies to any platform.


In December 2021, the Apache Software Foundation disclosed a series of Log4j vulnerabilities. Additionally, Apache provided mitigation guidance and published software updates. For more information, see this Apache document.

To temporarily reduce exposure to these Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), use Oracle Cloud Infrastructure (OCI) Web Application Firewall (WAF).
However, if the vulnerable Apache Log4j components are used, then we recommend to follow the Apache instructions to fully remediate the environments.


OCI WAF service can help protect Internet-facing layer 7 (HTTP/HTTPS) web applications that are hosted within or outside OCI regions. It can also help protect Layer 7 (HTTP/HTTPS) applications that are hosted behind public or private OCI Flexible Load Balancer instances.

This document applies to OCI Web Application Firewall service. It explains how to configure OCI WAF Protection rules and enforce them at the Edge and/or on Flexible Load Balancer instances to help protect the web applications that are deemed vulnerable as temporary and partial measure until these vulnerabilities are fully remediated.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.