www.oracle.com
Open in
urlscan Pro
2600:1400:d:58b::a15
Public Scan
URL:
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
Submission: On February 17 via api from CA — Scanned from CA
Submission: On February 17 via api from CA — Scanned from CA
Form analysis 1 forms found in the DOM
Name: askoracle — GET /search/results
<form name="askoracle" id="askoracle" class="askoracle" data-contentpaths="/content/Web/Shared/Auto-Suggest Panel Event" method="get" action="/search/results" data-resultsclose="Close" data-resultscloselabel="Exit Search Results">
<input type="hidden" name="Nty" value="1">
<input type="hidden" name="Dy" value="1">
<input type="hidden" name="Ntk" value="SI-ALL5">
<input type="hidden" name="cty" value="us">
<input type="hidden" name="lang" value="en">
<div class="u28w3">
<div class="u28logo rw-logo">
<span>Oracle</span>
</div>
<a class="u28-back rw-cv-left" href="#back" title="Close Search Field">
<span>Close</span>
</a>
<a class="u28-searchicon" href="#search" tabindex="-1">
<span>Search</span>
</a>
<span class="u28input">
<input id="askoracleinput" name="Ntt" value="" data-prefix="Ask" placeholder="Ask" autocomplete="off" role="combobox" aria-label="Search Oracle.com">
<span class="u28submit">
<input class="u28searchbttn" type="submit" value="Submit Search">
</span>
<div class="u28placeholder"><span style="display: none;">Ask "Analyst Reports"</span></div><a href="#" class="u28clsSearch" title="Clear Search Field"></a>
</span>
</div>
</form>Text Content
* Click to view our Accessibility Policy
* Skip to content
home nav
Oracle
Close Search
Ask "Analyst Reports"
Search Products Industries Resources Support Events Developer Partners
View Accounts
Back Oracle Account
Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier
* Sign-In
* Create an Account
* Help
* Sign Out
Contact Sales
Close
*
*
*
*
*
*
*
*
*
*
No results found
Your search did not match any results.
We suggest you try the following to help find what you’re looking for:
* Check the spelling of your keyword search.
* Use synonyms for the keyword you typed, for example, try “application”
instead of “software.”
* Try one of the popular searches shown below.
* Start a new search.
Trending Questions
* How are customers using Oracle Cloud apps and infrastructure?
* Analyst Reports
* College recruiting
* Working at Oracle
* Can I take advantage of the cloud in my own data center?
* HCM
* Oracle business transformation
* Try Oracle Cloud for free
* How can I create an agile supply chain?
* Blockchain applications
* Oracle vs AWS
* Financials
Close
Products
Infrastructure
* Oracle Cloud Infrastructure
* Analytics and BI
* Compute
* Containers and Functions
* Content Management
* Database Services
* Data Lakehouse
* Developer Services
* Hybrid Cloud
* Integration
* Machine Learning and AI
* Networking
* Observability and Management
* Security, Identity, and Compliance
* Storage
* VMware
* Featured OCI Services
* Oracle Cloud Free Tier
* Autonomous Database
* MySQL Heatwave
* Cloud@Customer
* Government Cloud
* Database Software
* Oracle Database
* MySQL
* Java
* Linux
* Hardware and Exadata
* Software
Applications
* Cloud Applications
* Enterprise Resource Planning (ERP)
* Enterprise Performance Management (EPM)
* Supply Chain & Manufacturing (SCM)
* Human Capital Management (HCM)
* Advertising and Customer Experience (CX)
* – Advertising (Data Cloud)
* – Marketing
* – Sales
* – Service
* Industry Solutions
* NetSuite
* On-Premises Applications
Industries
* Automotive
* Communications
* Construction and Engineering
* Consumer Goods
* Energy and Water
* Financial Services
* Food and Beverage
* Government and Education
* Healthcare
* High Technology
* Hospitality
* Industrial Manufacturing
* Life Sciences
* Media and Entertainment
* Oil and Gas
* Professional Services
* Retail
* Travel and Transportation
* Wholesale Distribution
Resources
* About Oracle
* Analyst Reports
* Business Practices
* Corporate Responsibility
* Corporate Security Practices
* Diversity and Inclusion
* Investor Relations
* Oracle’s response to COVID-19
* Blogs
* Careers
* Events
* News
* Customer References
* Quarterly Customer Highlights
* Community Forums
* Consulting
* Documentation
* Financing
* Software Downloads
* Support Offerings
* Support Renewals
* Preview/Beta Testing Opportunities
* Trust Center
* Buy and Renew Online
* Oracle University
* Free Training
* Digital/Online Training
* Guided Learning
* Certification
* Oracle PartnerNetwork
* Log in
* Find a Partner
* Partner Store
* Cloud Partners
* Developer Center
* Oracle Cloud Free Tier
* Cloud Architecture
* Reference Architectures
* Solution Playbooks
* Cloud Invoicing
* Cloud Marketplace
* Cloud Readiness Updates
* Cloud Security Practices
* Oracle for Startups
* Research
* For Students and Educators
Support
* My Oracle Support Login
* Mobile Login
* Contact Oracle Support
* My Support Renewals
* About Support Services
* Oracle Premier Support
* Proactive Support Program
* Oracle SaaS Support Services
* Advanced Customer Services
* Communities
* My Oracle Support Community
* Cloud Customer Connect
* Developer
* Oracle User Groups
* Lifetime Support Policies
* Technical Support Policies
* Critical Patch Updates
* Documentation
* Software Downloads
Events
* Oracle Cloud Events
Cloud CX
Join visionaries, experts, and customers as they share insights on the latest
CX solutions in this series of 1–2 hour events.
Cloud ERP
Listen to industry experts and customers as they share ERP, EPM, and SCM best
practices in this series of 1–2 hour events.
Cloud HCM
Experience HR technology solutions best practices and customer successes in
this series of 1–2 hour events.
Cloud Platform
Explore modern technology solutions through best practices and customer
examples in these 1–2 hour events.
* Oracle Live
Learn about new products and some of the customers who are using them in
these 60-minutes or less announcement events.
* Oracle Developer Live
Accelerate your application development and join technical sessions, hands-on
labs, demos, panels, and live Q&A with experts.
* Oracle Customer Spotlight
Hear candid conversations with customer executives who rely on Oracle Cloud
to help transform their business.
* Search all events
Not finding what you’re looking for? Search for all Oracle events.
Developer
* Developer Resource Center
Find tools, documentation, downloads, reference architectures and sample code
to develop on Oracle Cloud Infrastructure.
* Developer Community
* Developers Blog
* Developers Podcasts
* Digital Impact Radio
* Inside Java
* Oracle Groundbreakers
* Developer Live
* Virtual webcasts and workshops
* Meetups and Get-Togethers
* Search all developer events
Try Oracle Free Tier
Oracle Cloud Free Tier lets anyone build, test, and deploy applications on
Oracle Cloud—for free.
Start your trial today
Partners
* Oracle’s Partner Ecosystem
Learn how our partners' differentiated services, combined with Oracle’s
technology stack, are critical to our customers’ ongoing success.
* Oracle Cloud Marketplace
Discover, test, buy, and deploy partner business applications built on, and
integrated with, Oracle Cloud.
* Partner Finder
Search our digital catalog of partners who are ready to assist customers in
realizing greater value through expertise-based services.
* Why build on Oracle Cloud?
See why startups and established ISVs trust Oracle Cloud to meet their
customers’ demands.
* Why expand your service offerings on Oracle Cloud?
Understand the opportunities to extend and expand your service offerings with
Oracle Cloud.
* Oracle PartnerNetwork (OPN)
Learn about Oracle’s global program that helps technology and services
partners innovate, collaborate, and grow based on their business needs.
Interested in partnering? Take our OPN Journey Builder
Help us get to know your business better so we can guide you on your path to
success with Oracle.
Let’s get started
ORACLE SECURITY ALERT ADVISORY - CVE-2021-44228
DESCRIPTION
This Security Alert addresses CVE-2021-44228, a remote code execution
vulnerability in Apache Log4j. It is remotely exploitable without
authentication, i.e., may be exploited over a network without the need for a
username and password. It also addresses CVE-2021-45046, which arose as an
incomplete fix by Apache to CVE-2021-44228.
Due to the severity of this vulnerability and the publication of exploit code on
various sites, Oracle strongly recommends that customers apply the updates
provided by this Security Alert as soon as possible.
AFFECTED PRODUCTS AND PATCH INFORMATION
Security vulnerabilities addressed by this Security Alert affect the product
listed below. The product area is shown in the Patch Availability Document
column.
Please click on the links in the Patch Availability Document column below to
access the documentation for patch availability information and installation
instructions.
Affected Products and Versions Patch Availability Document Apache Log4j,
versions 2.0-2.15.0 My Oracle Support Document
Affected Products and Versions Patch Availability Document Apache Log4j,
versions 2.0-2.15.0 My Oracle Support Document
SECURITY ALERT SUPPORTED PRODUCTS AND VERSIONS
Patches released through the Security Alert program are provided only for
product versions that are covered under the Premier Support or Extended Support
phases of the Lifetime Support Policy. Oracle recommends that customers plan
product upgrades to ensure that patches released through the Security Alert
program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not
tested for the presence of vulnerabilities addressed by this Security Alert.
However, it is likely that earlier versions of affected releases are also
affected by these vulnerabilities. As a result, Oracle recommends that customers
upgrade to supported versions.
Database, Fusion Middleware, Oracle Enterprise Manager products are patched in
accordance with the Software Error Correction Support Policy explained in My
Oracle Support Note 209768.1. Please review the Technical Support Policies for
further guidelines regarding support policies and phases of support.
REFERENCES
* Oracle Critical Patch Updates, Security Alerts and Bulletins
* Oracle Critical Patch Updates and Security Alerts - Frequently Asked
Questions
* Risk Matrix Definitions
* Use of Common Vulnerability Scoring System (CVSS) by Oracle
* English text version of the risk matrices
* CVRF XML version of the risk matrices
* Map of CVE to Advisory/Alert
* Oracle Lifetime support Policy
* JEP 290 Reference Blocklist Filter
RISK MATRIX CONTENT
Risk matrices list only security vulnerabilities that are newly addressed by the
patches associated with this advisory. Risk matrices for previous security
patches can be found in previous Critical Patch Update advisories and Alerts. An
English text version of the risk matrices provided in this document is here.
Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS
Scoring for an explanation of how Oracle applies CVSS version 3.1).
Oracle conducts an analysis of each security vulnerability addressed by a
Security Alert. Oracle does not disclose detailed information about this
security analysis to customers, but the resulting Risk Matrix and associated
documentation provide information about the type of vulnerability, the
conditions required to exploit it, and the potential impact of a successful
exploit. Oracle provides this information, in part, so that customers may
conduct their own risk analysis based on the particulars of their product usage.
For more information, see Oracle vulnerability disclosure policies.
Oracle lists updates that address vulnerabilities in third-party components that
are not exploitable in the context of their inclusion in their respective Oracle
product beneath the product's risk matrix.
The protocol in the risk matrix implies that all of its secure variants (if
applicable) are affected as well. For example, if HTTP is listed as an affected
protocol, it implies that HTTPS (if applicable) is also affected. The secure
variant of a protocol is listed in the risk matrix only if it is the only
variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL
and TLS.
CREDIT STATEMENT
The following people or organizations reported security vulnerabilities
addressed by this Security Alert to Oracle: None credited in this Security
Alert.
MODIFICATION HISTORY
Date Note 2021-December-17 Rev 3. Updated CVSS score for CVE-2021-45046
2021-December-15 Rev 2. Added CVE-2021-45046 2021-December-10 Rev 1. Initial
Release
Date Note 2021-December-17 Rev 3. Updated CVSS score for CVE-2021-45046
2021-December-15 Rev 2. Added CVE-2021-45046 2021-December-10 Rev 1. Initial
Release
THIRD PARTY COMPONENT RISK MATRIX
This Security Alert contains 2 new security patches for Third Party Component.
Both of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-44228 Apache Log4j All Multiple Yes 10.0 Network Low None None
Changed High High High 2.0 - 2.14.1 CVE-2021-45046 Apache Log4j All Multiple
Yes 9.0 Network High None None Changed High High High 2.0 - 2.15.0
CVE# Product Component Protocol Remote
Exploit
without
Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions
Affected Notes Base
Score Attack
Vector Attack
Complex Privs
Req'd User
Interact Scope Confid-
entiality Inte-
grity Avail-
ability CVE-2021-44228 Apache Log4j All Multiple Yes 10.0 Network Low None None
Changed High High High 2.0 - 2.14.1 CVE-2021-45046 Apache Log4j All Multiple
Yes 9.0 Network High None None Changed High High High 2.0 - 2.15.0
Resources for
* Careers
* Developers
* Investors
* Partners
* Startups
* Students and Educators
Why Oracle
* Analyst Reports
* Gartner MQ for ERP Cloud
* Cloud Economics
* Corporate Responsibility
* Diversity and Inclusion
* Security Practices
Learn
* What is cloud computing?
* What is CRM?
* What is Docker?
* What is Kubernetes?
* What is Python?
* What is SaaS?
What’s New
* Try Oracle Cloud Free Tier
* Oracle Product Navigator
* Oracle and Premier League
* Oracle Red Bull Racing
* Employee Experience Platform
* Oracle Support Rewards
Contact Us
* US Sales: +1.800.633.0738
* How can we help?
* Subscribe to emails
* Events
* News
* Blogs
--------------------------------------------------------------------------------
* Country/Region
* COUNTRY/REGION
* Americas
* Argentina
* Brasil
* Canada-English
* Canada-Français
* Chile
* Colombia
* Costa Rica
* Latinoamérica
* México
* Perú
* Puerto Rico
* United States
* Asia Pacific
* ASEAN
* Australia
* 中国-简体中文
* Hong Kong SAR, PRC
* India
* Indonesia
* 日本
* 대한민국
* Malaysia
* Mongolia
* New Zealand
* Pakistan
* Philippines
* Singapore
* Sri Lanka
* 台灣-繁體中文
* Thailand
* Vietnam
* Europe
* Österreich
* Belgium
* Bosna i Hercegovina
* Bulgaria
* Croatia
* Cyprus
* Česká Republika
* Danmark
* Eesti
* Suomi
* France
* Deutschland
* Ελλάδα
* Magyarország
* Ireland
* Italia
* Казахстан
* Latvija
* Lietuva
* Luxembourg
* Malta
* Nederland
* Norge
* Polska
* Portugal
* România
* Россия и СНГ
* Srbija i Crna Gora
* Slovensko
* Slovenija
* España
* Sverige
* Suisse-Français
* Schweiz-Deutsch
* Türkiye
* Україна
* United Kingdom
* Middle East and Africa
* Africa Region
* Afrique
* Algéria
* Bahrain
* Egypt
* Ghana
* ישראל
* Israel
* Jordan
* Кenya
* Kuwait
* Lebanon
* الشرق الأوسط
* Middle East Region
* Maroc
* Nigeria
* Oman
* Qatar
* Saudi Arabia
* المملكة العربية السعودية
* Sénégal
* South Africa
* United Arab Emirates
* الإمارات العربية المتحدة
* © 2022 Oracle
* Site Map
* Privacy/Do Not Sell My Info
* Cookie Preferences
* Ad Choices
* Careers
*
*
*
*