My Oracle Support Banner

Impact of December 2021 Apache Log4j Vulnerabilities on Oracle on-premises products (CVE-2021-44228, CVE-2021-45046) (Doc ID 2830143.1)

Last updated on JANUARY 10, 2024

Applies to:

Oracle Fusion Applications
JD Edwards EnterpriseOne
Oracle Database Products
Oracle E-Business Suite
Information in this document applies to any platform.


On December 10th, Oracle released Security Alert CVE-2021-44228 in response to the disclosure of a new vulnerability affecting Apache Log4j prior to version 2.15.

Subsequently, the Apache Software Foundation released Apache version 2.16 which addresses an additional vulnerability (CVE-2021-45046). Mitigation instructions from Apache for these issues also evolved over time.

This document details the Oracle Products and Versions affected by CVE-2021-45046 and CVE-2021-44228. This information supersedes the information previously published solely for vulnerability CVE-2021-44228 and archived as MOS Note 2828594.1.


This document provides information about the availability of patches or mitigation instructions for products physically located in customers’ on-premises locations (including traditionally licensed products and cloud on-premises components).

For information about Oracle cloud environments, customers should refer to “Impact of December 2021 Apache Log4j Vulnerabilities on Oracle cloud environments (CVE-2021-44228, CVE-2021-45046) (MOS Note ID 2830129.1).

If you do not find information about a given product in this MOS Note, you should look in the other MOS Note.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.