Is EDS365 software affected by the Log4j vulnerability? - WKB224722

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Article number: 224722

ENVIRONMENT

EDS365 Service Release 6, specifically Hotfix 1
EDS365 Service Release 5
Log4Shell
Log4j
CVE-2021-44228

ANSWER

Apache Log4j Vulnerability Update Feb 03,2022

Waters is aware of the "zero day" vulnerability (CVE-2021-44228), announced by security researchers on Dec. 9, 2021, affecting a common software package (Apache log4j). Because log4j is widely used across web applications and cloud service providers, the full scope of this vulnerability is complex, and its impact is still being determined. Waters product and engineering teams continue to investigate this matter. Waters will provide updates for its customers about the log4j vulnerability as needed and will notify customers when the assessment is complete.

As part of initial investigation the following Waters software has been analyzed for the presence of log4j*.jar files:

EDS365 Service Release 6, specifically Hotfix 1
EDS365 Service Release 5

Waters EDS365 Service Release 6:
Log4j library instances have been found in the following components integrated in this service release:

Oracle Business Intelligence v12.2.1.2 - Oracle document 2828642.1 indicates that vulnerability patches are relevant only to later releases of this component. This version of log4j is listed as non-vulnerable in the most recently issued security alert from Apache (https://logging.apache.org/log4j/2.x/security.html).

Oracle Data Integrator v11.1.1.6 - Oracle document 2827929.1 lists this version (11g) as not affected by the vulnerability.

Oracle SQL Developer v19.2.1 – Oracle document 2828123.1 states that this version includes the affected log4j library, but it is not used with SQL Developer. This component is not utilized or mandatory for the operation of EDS365 software. The following directories can be safely quarantined or removed without impacting normal operation of EDS365.

<drive>:\app\oracle\product\19.3.0\dbhome_1\sqldeveloper

<drive>:\EDS365_SR6\EDS365_SR6\Software\WINDOWS.X64_193000_db_home\sqldeveloper

Oracle Spatial and Trace File Analyzer – Oracle document 2830143.1 lists available patches for addressing the vulnerabilities in those components that are bundled with the Oracle Database product. However, these components are not utilized or mandatory for the operation of EDS365 software. The following directories can be safely quarantined or removed without impacting normal operation of EDS365.

<drive>:\app\oracle\product\19.3.0\dbhome_1\md

<drive>:\EDS365_SR6\EDS365_SR6\Software\WINDOWS.X64_193000_db_home\md

<drive>:\app\oracle\product\19.3.0\dbhome_1\suptools\tfa

<drive>:\EDS365_SR6\EDS365_SR6\Software\WINDOWS.X64_193000_db_home\suptools\tfa

Waters EDS365 Service Releases 5:
Log4j library instances have been found in the following components integrated in this service release:

Oracle Data Integrator v11.1.1 - Oracle document 2827929.1 lists this version (11g) as not affected by the vulnerability.

Oracle SQL Developer v3.2.10 – this component contains log4j v1.2.13 which is not one of those listed in the security alert from Apache. Log4J-core-1.2.13.jar does not contain the JMSAppender.class file associated with the reported vulnerability. This component is not utilized or mandatory for the operation of EDS365 software. The following directory can be safely quarantined or removed without impacting normal operation of EDS365.

<drive>:\SQLDeveloper

Oracle Spatial – Oracle document 2830143.1 lists available patches for addressing the vulnerabilities in this component that is bundled with the Oracle Database product. However, this component is not utilized or mandatory for the operation of EDS365 software. The following directory can be safely quarantined or removed without impacting normal operation of EDS365.

<drive>:\app\oracle\product\12.2.0\dbhome_1\md

ADDITIONAL INFORMATION

id224722, WLA