Skip to main content
Waters

Does the Apache "Log4Shell" vulnerability in log4j impact waters_connect/UNIFI releases? - WKB224535

Article number: 224535

ENVIRONMENT

  • UNIFI 1.9.4
  • waters_connect/UNIFI 1.9.9
  • waters_connect/UNIFI 1.9.12
  • waters_connect/UNIFI 1.9.13
  • Log4Shell/CVE-2021-44228

ANSWER

Apache Log4j Vulnerability Update February 03, 2022

Waters is aware of the "zero day" vulnerability (CVE-2021-44228) announced by security researchers on Dec. 9, 2021 and affecting a common software package (Apache Log4J).

 

waters_connect/UNIFI software

Waters  performed an assessment of the waters_connect / UNIFI application binaries and the third-party software code included in all workstation and network deployments. Waters’ current findings are documented below. Please continue to check this page for further updates (last updated on Feb. 2nd, 2022).

For all versions of Waters UNIFI and waters_connect / UNIFI, the application codebase is not built on Java and does not use Apache Log4j libraries.

UNIFI and waters_connect / UNIFI workstation and network include Oracle database installations that contain Apache Log4j libraries (see more detail below), however, all implementations of UNIFI and waters_connect / UNIFI supported by Waters do not rely on or use Log4j libraries for normal application functions.

Waters tested all supported versions of UNIFI and waters_connect / UNIFI and  determined that the directories containing the affected Log4j libraries deployed by Oracle installations using the Waters supplied media can be safely quarantined or removed. Quarantine by archiving the affected directories using zip or equivalent utility is recommended over removal because it’s reversible and thus less prone to errors.

 

  • UNIFI 1.9.4 (Oracle 12c)
  • Default installations of UNIFI 1.9.4 include Oracle Database installations that contain Apache Log4j libraries. Vulnerability scans of these environments may identify vulnerable versions of Apache Log4j libraries. Log4j libraries are located at:

\Waters\Oracle\Oracle12c\ccr\lib
version 1.x Log4j libraries are not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Waters\Oracle\Oracle12c\sysman\jlib\ocm
version 1.x Log4j libraries are not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Waters\Oracle\Oracle12c\sqldeveloper\sqldeveloper\lib
While an affected Log4j library is present, it is not used by SQL Developer. (Oracle Doc ID 2828123.1) SQL Developer is neither used nor mandatory for Waters product operation. The parent directory \Waters\Oracle\Oracle12c\sqldeveloper  can be safely quarantined or removed without impacting normal operation of waters_connect/UNIFI.

\Waters\Oracle\Oracle12c\oui\jlib\jlib
Oracle Universal Installer is not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Waters\Oracle\asm12c\oui\jlib\jlib (network deployments only)
Oracle Universal Installer is not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)

  • Default installations of Client and LND version based on UNIFI 1.9.4 do not contain Apache Log4j libraries and are not affected by the Log4j vulnerabilities.

 

  • waters_connect / UNIFI 1.9.9 (Oracle 12c)
  • Default installations of UNIFI 1.9.9 include Oracle Database installations that contain Apache Log4j libraries. Vulnerability scans of these environments may identify vulnerable versions of Apache Log4j libraries. Log4j libraries are located at:

\Waters\Oracle\Oracle12c\ccr\lib
version 1.x Log4j libraries are not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Waters\Oracle\Oracle12c\sysman\jlib\ocm
version 1.x Log4j libraries are not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Waters\Oracle\Oracle12c\sqldeveloper\sqldeveloper\lib
While an affected Log4j library is present, it is not used by SQL Developer. (Oracle Doc ID 2828123.1) SQL Developer is neither used nor mandatory for Waters product operation. The parent directory \Waters\Oracle\Oracle12c\sqldeveloper can be safely quarantined or removed without impacting normal operation of waters_connect/UNIFI.

\Waters\Oracle\Oracle12c\oui\jlib\jlib
Oracle Universal Installer is not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Waters\Oracle\asm12c\oui\jlib\jlib (network deployments only)
Oracle Universal Installer is not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)

  • Default installations of Client and LND version based on waters_connect / UNIFI 1.9.9 do not contain Apache Log4j libraries and are not affected by the Log4j vulnerabilities.

 

  • waters_connect / UNIFI 1.9.12 (Oracle 19c)
  • Default installations of UNIFI 1.9.12 include Oracle Database installations that contain Apache Log4j libraries. Vulnerability scans of these environments may identify vulnerable versions of Apache Log4j libraries. Log4j libraries are located at:

\Waters\Oracle\DbHome\md\property_graph\lib
This is part of the Oracle Spatial product bundled together with the Oracle database software. A patch for it is listed in Oracle Doc ID 2830143.1. However, this component is not used by the Waters CDS product. The parent directory \Waters\Oracle\DbHome\md can be safely quarantined or removed without impacting normal operation of waters_connect/UNIFI.

\Waters\Oracle\DbHome\sqldeveloper\sqldeveloper\lib (optional install for support purposes)
While an affected Log4j library is present, it is not used by SQL Developer. (Oracle Doc ID 2828123.1) SQL Developer is neither used nor mandatory for Waters product operation. The parent directory \Waters\Oracle\DbHome\sqldeveloper can be safely quarantined or removed without impacting normal operation of waters_connect/UNIFI.

\Waters\Oracle\DbHome\suptools\tfa\release\tfa_home\jlib
This is part of the Oracle Trace File Analyzer product bundled together with the Oracle database software. A patch for it is listed in Oracle Doc ID 2830143.1. However, this component is not used by the Waters CDS product. The parent directory \Waters\Oracle\DbHome\suptools\tfa can be safely quarantined or removed without impacting normal operation of waters_connect/UNIFI

\Waters\Oracle\AsmHome\suptools\tfa\release\tfa_home\jlib (network deployments only)
This is part of the Oracle Trace File Analyzer product bundled together with the Oracle database software. A patch for it is listed in Oracle Doc ID 2830143.1. However, this component is not used by the Waters CDS product. The parent directory \Waters\Oracle\AsmHome\suptools\tfa can be safely quarantined or removed without impacting normal operation of waters_connect/UNIFI

  • Default installations of Client and LND version based on waters_connect / UNIFI 1.9.12 do not contain Apache Log4j libraries and are not affected by the Log4j vulnerabilities.

 

  • waters_connect / UNIFI 1.9.13 (Oracle 19c)
  • Default installations of UNIFI 1.9.13 include Oracle Database installations that contain Apache Log4j libraries. Vulnerability scans of these environments may identify vulnerable versions of Apache Log4j libraries. Log4j libraries are located at:

\Waters\Oracle\DbHome\md\property_graph\lib
This is part of the Oracle Spatial product bundled together with the Oracle database software. A patch for it is listed in Oracle Doc ID 2830143.1. However, this component is not used by the Waters CDS product. The parent directory \Waters\Oracle\DbHome\md can be safely quarantined or removed without impacting normal operation of waters_connect/UNIFI.

\Waters\Oracle\DbHome\sqldeveloper\sqldeveloper\lib (optional install for support purposes)
While an affected Log4j library is present, it is not used by SQL Developer. (Oracle Doc ID 2828123.1) SQL Developer is neither used nor mandatory for Waters product operation. The parent directory \Waters\Oracle\DbHome\sqldeveloper can be safely quarantined or removed without impacting normal operation of waters_connect/UNIFI.

\Waters\Oracle\DbHome\suptools\tfa\release\tfa_home\jlib
This is part of the Oracle Trace File Analyzer product bundled together with the Oracle database software. A patch for it is listed in Oracle Doc ID 2830143.1. However, this component is not used by the Waters CDS product. The parent directory \Waters\Oracle\DbHome\suptools\tfa can be safely quarantined or removed without impacting normal operation of waters_connect/UNIFI

\Waters\Oracle\AsmHome\suptools\tfa\release\tfa_home\jlib (network deployments only)
This is part of the Oracle Trace File Analyzer product bundled together with the Oracle database software. A patch for it is listed in Oracle Doc ID 2830143.1. However, this component is not used by the Waters CDS product. The parent directory \Waters\Oracle\AsmHome\suptools\tfa can be safely quarantined or removed without impacting normal operation of waters_connect/UNIFI

  • Default installations of Client and LND version based on waters_connect / UNIFI 1.9.13 do not contain Apache Log4j libraries and are not affected by the Log4j vulnerabilities.

ADDITIONAL INFORMATION

 

SUPUNIFI, UNIFISVR, UNIFISW18, UNIFOPT, UNIFQLIC, UNIFSW17, UNIFSW18, UNIFSW19, UNIFWGLIC, UNIFWKLIC

Not able to find a solution? Click here to request help.