Oracle security alert on Apache Log4j

Over the past few days, you have read about a security vulnerability in Apache Log4j in the media and on various news websites. Apache Log4j version 2 is not used in standard Oracle WebLogic Server installations and configurations. However, the Oracle Weblogic Server software does contain the vulnerable Log4j version 2 jars in the so-called third-party directories. The vulnerability applies only to Log4j version 2.0-2.14.1.

By default, these Log4j version 2 jars are not present in the WebLogic Server Classpath and are therefore not used by applications or underlying products. However, it is possible that you as a customer have made your own modification to the WebLogic Server Classpath and use the Log4j jar within WebLogic Server.

Oracle will release a patch for WebLogic Server to upgrade the Log4j version 2 jars for the environments where these Apache Log4j version 2 jars are in use.

Source: Apache Log4j Security Alert CVE-2021-44228 Products and Versions (Doc ID 2827611.1) on MyOracleSupport

For Oracle JD Edwards, WebLogic (SE) is sold/used as part of the Stack license. This means that it can only be used for JD Edwards. (So no own/other apps etc.). This means that the installation that Cadran does for your JD Edwards system uses a standard Weblogic configuration/installation. JD Edwards runs as a component within WebLogic.

Should you have any questions regarding the security of your JD Edwards servers, or need advice or assistance with applying a patch or finding out what is actually being used, please do not hesitate to contact your regular Cadran consultant or the Cadran office: +31 (0)33 -247 15 99.