Update: 21-12-14
Oracle has provided updated instructions for Hyperion 11.2. Application specific instructions can be found by following the ‘My Oracle Support Documents’ link.
Updated: 21-12-13
On Friday Oracle issued a security alert that may have an impact for your Oracle EPM systems.
What is it:
The vulnerability, assigned the name CVE-2021-44228, leverages a Java-based logging tool called “log4j” to gain full control of the web server without any authentication.
What is affected:
Any web application which uses this tool is vulnerable. However, only log4j versions 2.0 to 2.14 have the vulnerability.
EPM 11.1.2.4 and lower: We have investigated in our lab environment. All instances of the tool are versions lower than 2.0. Although this is promising, we have yet to hear from Oracle directly. Stay tuned.
EPM 11.2.x: This definitely does use affected versions of log4j. It is important to address this as soon as possible.
Oracle EPM Cloud: No information is available at this time. This is also outside of the client’s control to fix.
What needs to be done:
Oracle has not released patches yet. The makers of the tool, Apache Software Foundation, have released a fixed version of the tool, 2.15.
There are several mitigation strategies:
- Set system property “log4j2.formatMsgNoLookups” to “true” (effective for versions 2.10 to 2.14)
- Remove the JndiLookup class from the classpath
- Manually update all affected copies of the tool to 2.15
We are still working to validate these tactical mitigations. We will follow up when we have a procedure ready, or when there are other patching developments.
Call to Action:
If you are on 11.2.x, please prepare for rapid deployment of mitigation steps. If you require assistance with this, please call us or email us at support@goalgetters.com
Further information:
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
