![]() The easiest thing to do is to define a security exception and ignore the security finding at least for a while and wait for an official patch. But the security scanners still show a vulnerability. What now? Oracle Unified Directory does not seem to use Log4j. But since I am not a Java developer, this simple test was sufficient for me. There are certainly other tools and better methods to verify this. For a simple plausibility test, I used jProfiler to create a head dump of an Oracle Unified Directory instance and inspected the classes. The Java head dump of an OUD instance at least does not list any corresponding Log4j classes. However, it seems reasonable to assume that this is the case. See also Oracle Support Document 2830143.1.īut as far as I know, Log4j is not used at all in a regular OUD instance. Accordingly, the home directory of Oracle Unified Directory is in the focus of security scanners, which find the corresponding Apache Log4j library and identify it as a potential vulnerability. In particular the directory oracle_common/modules/thirdparty includes a bunch of third party modules. BackgroundĪs with many other products, Oracle Unified Directory also includes the Apache Log4j library. In this blog post I show how to find and install the appropriate patch for Oracle Unified Directory and check if the vulnerability is fixed. This is also the case with Oracle Unified Directory in several customer projects. Thus, it is not surprising that this vulnerability is still on our minds. Despite a great effort, many applications could only be corrected with a delay. Especially since Log4j is used relatively widely. ![]() With a CVSS rating of 10 out of 10, this vulnerability was or is extremely critical. ![]() In December 2021, the critical vulnerability in Apache Log4j (CVE-2021-44228) was disclosed.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |