![]() Latest patches for Oracle Unified Directory 12.2.1.4 (Standalone) If you select the current version 12.2.1.4, you get a table with the latest patches around Oracle Unified Directory. Oracle Unified Directory is listed under Identity & Access Management. Not so easy to find Oracle Unified Directory the first time. This is the Oracle Support Document, which is updated with every Critical Patch Advisory and lists the different patches for the whole Fusion Middleware Stack. With an update from April 19, reference is made to Oracle Support Document 2806740.2 Critical Patch Update (CPU) Patch Advisor for Oracle Fusion Middleware – Updated for July 2022. Update in Oracle Support Document 2827793.1 Ok, you have to search a bit more until you find the correct patch. It looks like I finally found my patch to fix CVE-2021-44228. ![]() On the third attempt, I read the Oracle Support Document 2827793.1 a little more closely… Scope of Oracle Support Document 2827793.1 Finally I made a standalone installation of Oracle Unified Directory to keep the size of the binaries small. In doing so, I disregarded Fusion Middleware, especially Weblogic Server. My mistake then was to first look for security fixes for Oracle Unified Directory. But after the security scanner continued to show the Apache Log4j vulnerability on a new OUD instance with April 2022 bundle patch, I took a closer look. MitigationĪt first, I assumed that the latest April 2022 bundle patch for Oracle Unified Directory would fix this vulnerability. So let’s look at possible mitigation measures. It will be difficult to justify the security exception for such a long time. The easiest thing to do is to define a security exception and ignore the security finding at least for a while and wait for an official patch. But the security scanners still show a vulnerability. What now? Oracle Unified Directory does not seem to use Log4j. But since I am not a Java developer, this simple test was sufficient for me. There are certainly other tools and better methods to verify this. For a simple plausibility test, I used jProfiler to create a head dump of an Oracle Unified Directory instance and inspected the classes. The Java head dump of an OUD instance at least does not list any corresponding Log4j classes. However, it seems reasonable to assume that this is the case. See also Oracle Support Document 2830143.1.īut as far as I know, Log4j is not used at all in a regular OUD instance. Accordingly, the home directory of Oracle Unified Directory is in the focus of security scanners, which find the corresponding Apache Log4j library and identify it as a potential vulnerability. In particular the directory oracle_common/modules/thirdparty includes a bunch of third party modules. BackgroundĪs with many other products, Oracle Unified Directory also includes the Apache Log4j library. ![]() In this blog post I show how to find and install the appropriate patch for Oracle Unified Directory and check if the vulnerability is fixed. This is also the case with Oracle Unified Directory in several customer projects. Thus, it is not surprising that this vulnerability is still on our minds. Despite a great effort, many applications could only be corrected with a delay. Especially since Log4j is used relatively widely. With a CVSS rating of 10 out of 10, this vulnerability was or is extremely critical. In December 2021, the critical vulnerability in Apache Log4j (CVE-2021-44228) was disclosed.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |