CVE-2021-44228 Advisory for Oracle E-Business

classic Classic list List threaded Threaded
4 messages Options
big
Reply | Threaded
Open this post in threaded view
|

CVE-2021-44228 Advisory for Oracle E-Business

big
Hi,
On R12.2.4 DB 11.2.0.4 on AIX

In note 2827804.1 Oracle propose a work around for CVE-2021-44228 :

[oracle@app01 ~]$ export LOG4J_FORMAT_MSG_NO_LOOKUPS=true
[oracle@app01 ~]$ adstpall.sh
[oracle@app01 ~]$ adstrtal.sh

My questions are:

1-Should we run: export LOG4J_FORMAT_MSG_NO_LOOKUPS=true every time we stop/start our system or only one time for good?
2-If only one time for good, how the value "true" for LOG4J_FORMAT_MSG_NO_LOOKUPS will be kept permanently for system?
3-If we should export its value every time we stop/start, how can we make it permanent?
Put it in .profile cannot help because since we stop/start it by cronetab, the values from .profile are discarded I think.

Thanks and regards.


Reply | Threaded
Open this post in threaded view
|

Re: CVE-2021-44228 Advisory for Oracle E-Business

ErmanArslansOracleBlog
Administrator
LOG4J_FORMAT_MSG_NO_LOOKUPS is not there in that document anymore..
It seems the document 2827804.1 was updated yesterday.. So please check it again.
There is a new mitigation Plan for Oracle E-Business Suite Core Functionality...

Also there is the following note;

If you have implemented any Oracle E-Business Suite Information Discovery Plus products, apply Patch 33660626.
big
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2021-44228 Advisory for Oracle E-Business

big
Hi,
Thank you.

Yes, Oracle emitted a patch for it.

In README it is said:

For 12.2.X patches (using adop), you can perform the tasks in this section
without shutting down the Application tier services.

1. Apply patch [required]
Apply the patch with ADOP:
adop phase=apply patches=33672402

Then we don't need to run PREPARE, APPLY, FINALIZE, CUTOVER, CLEANUP cycle?

Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2021-44228 Advisory for Oracle E-Business

ErmanArslansOracleBlog
Administrator
According to the instructions that you sent me in your previous update, you should apply the patching using online patching cycle.
So you should go through all the phases of adop -> PREPARE, APPLY, FINALIZE, CUTOVER, CLEANUP..