Proactive and Reactive Measure for CVE-2021-44228 Log4j 2 exploitation

CVE-2021-44228 vulnerability for oc4j on OEM server:

EM 13.5FMW Component on OMS HomeDB Plugin HomeFMW Component on Agent HomeSteps to perform on each component:Patch/Mitigate FMW component on OMS Home1. Stop the OMS and set the environment variablesexport ORACLE_HOME=<Middleware_Home>export PATH=$ORACLE_HOME/bin:$PATHexport PATH=$ORACLE_HOME/OMSPatcher:$PATH$ emctl stop oms -all2. Apply the patches in the below ordera. Apply OCT WLS PSU Patch 33416868 on OMS Middleware Home ( Mandatory)b. Apply Overlay Patch 33671996 on OMS Middleware Home ( To resolve Log4j2.X vulnerability)3. Restart OMS$ emctl start omsImportant Instructions:1. This Patch has to be applied on OMS HOME(ORACLE_HOME=$MIDDLEWARE_HOME)2. Upcoming JAN 2022 WLS PSU Patch contains the fix of Log4j2.x Vulnerability ( Patch not yet released)Patch/Mitigate Agent HomePatch details will be updated in this section once availableMitigation PlanNavigate to location$AGENT_HOME/oracle_common/modules/thirdparty/Run the below command$ zip -q -d log4j-2.11.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.classVerify the removal of class on the LOG4J core jar$ unzip -l log4j-2.11.1.jar | grep JndiLookup.classRestart the Agent<agent_inst>/bin/emctl stop agent<agent_inst>/bin/emctl start agent

Note: These steps have to be performed on each agent home

Patch/Mitigate DB Plug-in Home1. Stop the OMS and set the environment variablesexport ORACLE_HOME=<Middleware_Home>export PATH=$ORACLE_HOME/bin:$PATHexport PATH=$ORACLE_HOME/OMSPatcher:$PATH$ emctl stop oms -all2. Apply Patch 33672721 on OMS Middleware HOME3. Navigate to the <PATCH_TOP_DIR>/33672721 directory:cd <PATCH_TOP_DIR>/omspatcher apply -bitonly4. Start OMS server$ emctl start omsImportant Instructions:1. This Patch 33672721 is applicable on the base version or any RU level (RU01 and RU02) of the OEM 13.5 version.2. 13.5 Patch needs to be applied in bit-only mode. If applied in normal mode starting of omspatcher will fail as job_queue_processes would have been set to 0. To fix it, job_queue_processes needs to be set to an earlier value and then start oms3. Patch can be applied in a rolling manner. No need for complete downtime. In the case of multi-oms env, a patch needs to be applied on every OMS (stop OMS, apply the patch using omspatcher apply -bit only, start OMS).4. omspatcher needs to be of version 13.9.5.0.0 or later. Customers on 13.5 RU01 or RU02 by default will have version 13.9.5.0.0 or higher5. For Customer on 13.5 base release (without any RU), omspatcher needs to be upgraded to the latest available (13.9.5.1.0 – which was released with RU02) before applying one-off the patch6. If the Customer is on a 13.5 base release or 13.5 RU01, apply this one-off patch to fix the vulnerability, and if the customer applies RU02 in the future, the vulnerability will get introduced again. In such a case, the existing one-off patch needs to be rolled back in bit-only mode, again applying the same patch in bit-only mode to resolve the issue.

 

Thank you for giving your valuable time to read the above information.

If you want to be updated with all our articles send us the Invitation or Follow us:

Ramkumar’s LinkedIn: https://www.linkedin.com/in/ramkumardba/
LinkedIn Group: https://www.linkedin.com/in/ramkumar-m-0061a0204/
Facebook Page: https://www.facebook.com/Oracleagent-344577549964301
Ramkumar’s Twitter: https://twitter.com/ramkuma02877110
Ramkumar’s Telegram: https://t.me/oracleageant
Ramkumar’s Facebook: https://www.facebook.com/ramkumarram8