Log4j alerts in prod oracle apps

Hi Erman,

we are getting lot of incidents from our application servers related to the log4j files on our machines.

  Path                                   : /u01/app/oracle/fs1/FMW_Home/oracle_common/sysman/jlib/log4j-core.jar
  Installed version                      : 1.2.13
  Security End of Life                   : August 5, 2015
  Time since Security End of Life (Est.) : >= 8 years



  Path                                   : /u01/app/oracle/fs1/EBSapps/10.1.2/sysman/jlib/log4j-core.jar
  Installed version                      : 1.1.1
  Security End of Life                   : August 5, 2015
  Time since Security End of Life (Est.) : >= 8 years



  Path                                   : /u01/app/oracle/fs1/FMW_Home/utils/bsu/cache_dir/RAWM.jar
  Installed version                      : 1.2.8
  Security End of Life                   : August 5, 2015
  Time since Security End of Life (Est.) : >= 8 years



  Path                                   : /u01/app/oracle/fs1/FMW_Home/utils/bsu/bsu_update/GA/modules/com.bea.core.apache.log4j_1.2.13.jar
  Installed version                      : 1.2.13
  Security End of Life                   : August 5, 2015
  Time since Security End of Life (Est.) : >= 8 years



  Path                                   : /u01/app/oracle/fs1/FMW_Home/utils/bsu/bsu_update/Patch/modules/com.bea.core.apache.log4j_1.2.13.jar
  Installed version                      : 1.2.13
  Security End of Life                   : August 5, 2015
  Time since Security End of Life (Est.) : >= 8 years



  Path                                   : /u01/app/oracle/fs1/FMW_Home/utils/ccr/lib/log4j-core.jar
  Installed version                      : 1.1.1
  Security End of Life                   : August 5, 2015
  Time since Security End of Life (Est.) : >= 8 years



  Path                                   : /u01/app/oracle/fs1/FMW_Home/webtier/OPatch/ocm/lib/log4j-core.jar
  Installed version                      : 1.1.1
  Security End of Life                   : August 5, 2015
  Time since Security End of Life (Est.) : >= 8 years



  Path                                   : /u01/app/oracle/fs1/FMW_Home/webtier/OPatch_20230203200100/ocm/lib/log4j-core.jar
  Installed version                      : 1.1.1
  Security End of Life                   : August 5, 2015
  Time since Security End of Life (Est.) : >= 8 years



  Path                                   : /u01/app/oracle/fs1/FMW_Home/webtier/oui/jlib/jlib/log4j-core.jar
  Installed version                      : 1.1.1
  Security End of Life                   : August 5, 2015
  Time since Security End of Life (Est.) : >= 8 years



  Path                                   : /u01/app/oracle/fs1/FMW_Home/webtier/ccr/lib/log4j-core.jar
  Installed version                      : 1.1.1
  Security End of Life                   : August 5, 2015
  Time since Security End of Life (Est.) : >= 8 years



  Path                                   : /u01/app/oracle/fs1/FMW_Home/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/log4j-1.2.17-16.jar
  Installed version                      : 1.2.17
  Security End of Life                   : August 5, 2015
  Time since Security End of Life (Est.) : >= 8 years



Please advise which patch i need to apply to fix those, we have ebs 12.2.10

Hi Erman,

Plese help me on this . I did apply 33672402

Actually, standard logging for Oracle E-Business Suite does not use log4j. However, log4j is present in the Oracle E-Business Suite file system.
This may be due to your AD TXK level..
Your log4j versions seems old.
Please see -> CVE-2021-44228/CVE-2021-45046/CVE-2021-44832/CVE-2021-45105 Advisory for Oracle E-Business Suite (Apache log4j Vulnerabilities) (Doc ID 2827804.1)

Oracle E-Business Suite Release 12.2.x instances with R12.TXK.C.Delta.12 or later may be your fix for this.