My Oracle Support Banner

Apache Log4j Security Alert CVE-2021-44228, CVE-2021-45046 on PeopleSoft Applications (on PeopleTools 8.57 and later releases) (Doc ID 2828073.1)

Last updated on OCTOBER 27, 2023

Applies to:

PeopleSoft Enterprise PT PeopleTools - Version 8.57 to 8.59 [Release 8.4]
Information in this document applies to any platform.

Purpose

This document provides mitigation steps to alleviate the impact associated with CVE-2021-44228 and CVE-2021-45046 on PeopleSoft applications.
Refer to Apache Log4j vulnerability described in Oracle Security Alert Advisory CVE-2021-44228 for more details.

Scope

This applies to PeopleSoft Applications on PeopleTools 8.57 and later releases.

PeopleTools Jan 2022 CPU (8.57.24, 8.58.17, 8.59.07) patches already have the mitigations applied.

In PeopleTools patches 8.58.18 and 8.59.08, log4j has been updated to version 2.17.1, which contains fixes for the CVEs addressed in this note.

Prior releases that are not in patch support have not been evaluated.

Important. Monitor this page for updates. Oracle plans to include a mitigation for PeopleSoft applications in an upcoming CPU patch. The plans and timing are not yet finalized.

 

Details

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Purpose
Scope
Details
 Version History
 Solution
 Application Server, Process Scheduler server, and Web server (PIA) domain
 ELK - Elasticsearch
 ELK - Logstash
 PeopleTools Client
 Change Assistant
 Oracle Database
 Tuxedo
 WebLogic Server
 Redeploying Web Server (PIA) does not upgrade the Apache log4j libraries in <PIA_Domain>/application/peoplesoft/lib 
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.