How to mitigate the impact associated with CVE-2021-44228 and CVE-2021-45046 on Oracle Fusion Middleware 12.2.1.4



Recently in Dec2021, a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. This vulnerability has shaken the entire world. To mitigate this vulnerability in Oracle Fusion Middleware, Oracle recommends to apply following patches .

Download following patches for WLS Release 12.2.1.4

1.    Download latest Opatch for WLS 28186730

2.    For the WLS and FMW Infrastructure, if you have not been applying quarterly security updates, Coherence Patch 33286160 is a prerequisite.

3.    WLS PATCH SET UPDATE 12.2.1.4.210930 (Patch 33416868)

4.    WLS OVERLAY PATCH FOR 12.2.1.4.0 OCT 2021 PSU (Patch 33671996) for CVE-2021-44228,CVE-2021-45046





I will be applying these patches in windows environment.

SET ORACLE_HOME=D:\app\oracle\product\12.2.1.4

Set JAVA_HOME=D:\app\oracle\jdk

Apply patch 28186730 - This patch installs latest version of Opatch for FMW/WLS

D:\app\oracle\product\12.2.1.4\OPatch>%java_home%\bin\java -jar C:\Users\Administrator\Downloads\6880880\opatch_generic.jar -silent oracle_home=D:\app\oracle\product\12.2.1.4

 

Launcher log file is C:\Users\Administrator\AppData\Local\Temp\1\OraInstall2021-12-19_05-06-36PM\launcher2021-12-19_05-06-36PM.log.

Extracting the installer . . . . Done

Checking if CPU speed is above 300 MHz.   Actual 2400    Passed

Checking swap space: must be greater than 512 MB    Passed

Checking if this platform requires a 64-bit JVM.   Actual 64    Passed (64-bit not required)

Checking temp space: must be greater than 300 MB.   Actual 272082 MB    Passed

Preparing to launch the Oracle Universal Installer from C:\Users\Administrator\AppData\Local\Temp\1\OraInstall2021-12-19_05-06-36PM

Installation Summary

….

….

….

The install operation completed successfully.

 

Logs successfully copied to C:\Program Files\Oracle\Inventory\logs.


Shutdown entire application services(Nodemanager , Weblogic , FORMS, Reports, OHS etc)

Navigate to patch location and apply the patch


unzip p33286160_1221411_Generic.zip

List out the installed components to see the installed Coherence version

 

C:\Users\Administrator>%ORACLE_HOME%/OPatch/opatch.bat lsinventory -jdk %JAVA_HOME% -inactive

Oracle Interim Patch Installer version 13.9.4.2.1

Copyright (c) 2021, Oracle Corporation.  All rights reserved.

 

 

Oracle Home       : D:\app\oracle\product\12.2.1.4

Central Inventory : C:\Program Files\Oracle\Inventory

   from           :

OPatch version    : 13.9.4.2.1

OUI version       : 13.9.4.0.0

Log file location : D:\app\oracle\product\12.2.1.4\cfgtoollogs\opatch\opatch2021-12-19_16-18-03PM_1.log

 

 

OPatch detects the Middleware Home as "D:\app\oracle\product\12.2.1.4"

 

Lsinventory Output file location : D:\app\oracle\product\12.2.1.4\cfgtoollogs\opatch\lsinv\lsinventory2021-12-19_16-18-03PM.txt

 

--------------------------------------------------------------------------------

Local Machine Information::

Hostname: CSAPP2

ARU platform id: 233

ARU platform description:: Microsoft Windows Server 2003 (64-bit AMD)

 

 

There are no inactive patches installed in this Oracle Home.

 

--------------------------------------------------------------------------------

 

OPatch succeeded.



cd C:\Users\Administrator\Downloads

C:\Users\Administrator\Downloads>%ORACLE_HOME%/OPatch/opatch apply 1221411 -jdk %JAVA_HOME%

Oracle Interim Patch Installer version 13.9.4.2.1

Copyright (c) 2021, Oracle Corporation.  All rights reserved.

 

 

Oracle Home       : D:\app\oracle\product\12.2.1.4

Central Inventory : C:\Program Files\Oracle\Inventory

   from           :

OPatch version    : 13.9.4.2.1

OUI version       : 13.9.4.0.0

Log file location : D:\app\oracle\product\12.2.1.4\cfgtoollogs\opatch\opatch2021-12-19_16-22-18PM_1.log

 

 

OPatch detects the Middleware Home as "D:\app\oracle\product\12.2.1.4"

 

Verifying environment and performing prerequisite checks...

OPatch continues with these patches:   1221411

 

Do you want to proceed? [y|n]

y

User Responded with: Y

All checks passed.

Backing up files...

Applying interim patch '1221411' to OH 'D:\app\oracle\product\12.2.1.4'

 

Patching component oracle.coherence, 12.2.1.4.0...

Patch 1221411 successfully applied.

Log file location: D:\app\oracle\product\12.2.1.4\cfgtoollogs\opatch\opatch2021-12-19_16-22-18PM_1.log

 

OPatch succeeded.



Unzip patch 33416868


Apply patch


C:\Users\Administrator\Downloads>%ORACLE_HOME%/OPatch/opatch apply 33416868 -jdk %JAVA_HOME%

 


Unzip patch 33671996

 Apply patch


cd C:\Users\Administrator\Downloads\33671996

%ORACLE_HOME%/OPatch/opatch apply

 


Mitigation Plan 

If patching is not possible at this time, you may mitigate the Log4j vulnerabilities with the below steps.

This mitigation applies to Log4j v2 prior to 2.16.0, including 2.15.

1. Navigate to the location:

ORACLE_HOME/oracle_common/modules/thirdparty/ 


2. Run the below command for the installed Log4j version 2 files:

12.2.1.3.0: log4j-1.2.17.jar - This is expected to contain a version 2 file
12.2.1.4.0: log4j-2.11.1.jar
14.1.1.0.0: log4j-core-2.11.1.jar and log4j-api-2.11.0.jar

Unix:

zip -q -d log4j*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class


Windows: 

Use a zip utility to extract the contents as a .zip, remove JndiLookup.class, and re-zip.



Reference:-Security Alert CVE-2021-44228 / CVE-2021-45046 Patch Availability Document for Oracle WebLogic Server & Fusion Middleware (Doc ID 2827793.1)

The “visiblepw” is not set the sudoers file and as a result, the user will not be able to run sudo over ssh

While installing agent in target host for oracle enterprise manager 13c, following error is observed




Solution:-

This issue has two different solutions

1.       Change the entry “Defaults !visiblepw” to “Defaults visiblepw” in the /etc/sudoers file and re-try Agent Deployment. This needs to be done in host server.

2. You can also set the "oracle.sysman.prov.agentpush.enablePty" property to true in the "/data2/app/oracle/middleware/sysman/prov/agentpush/agentpush.properties" file, which is present on the OMS host,

And  pass -S argument to the sudo command

 /usr/bin/sudo -S -u %RUNAS% %COMMAND%

Now retry again the agent deployment , this time it should succeed. 



Enterprise manager 13c: Error During Agent Installation

While installing agent in target host for oracle enterprise manager 13c, following error is observed

EM 12c, 13c: Error During Agent Installation : Ensure central inventory is owned by install user, has read and write permission



Solution:-

Make sure in inventory_loc in /etc/oraInst.loc file points to a valid inventory location and it is writable by the installing user in the  target host server.

inventory_loc=/DEV/R12DEV/db/tech_st/19.3.0/oraInventory

where <valid inventory location> must be writable by the installing user. 




 

SQL Query to get details of a concurrent process in EBS R12.1.3

 To get forms process id first.

SQL> SET LINES 222

SQL> col MODULE for a40

SQL> col ACTION for a40


select sid,serial#,process,module,action from v$session where process=(SELECT p.os_process_id FROM FND_CONCURRENT_REQUESTS r, FND_CONCURRENT_PROCESSES p 

where r.controlling_manager = p.concurrent_process_id and request_id=211503612)




To get more details of process id and command kill that session:-

select s.ECID ,s.inst_id, s.SID,s.SERIAL#,p.spid,s.status,s.machine, s.ACTION, s.MODULE, s.TERMINAL,s.sql_id,s.last_call_et,s.event, s.client_info,s.PLSQL_SUBPROGRAM_ID,s.PROGRAM,s.client_identifier

, ( SELECT max( substr( sql_text , 1, 40 )) FROM gv$sql sq WHERE sq.sql_id = s.sql_id ) AS sql_text

, ( SELECT object_name FROM dba_procedures WHERE object_id = plsql_entry_object_id AND subprogram_id = 0) AS plsql_entry_object

, ( SELECT procedure_name FROM dba_procedures WHERE object_id = plsql_entry_object_id AND subprogram_id = plsql_entry_subprogram_id) AS plsql_entry_subprogram

, ( SELECT object_name FROM dba_procedures WHERE object_id = plsql_object_id AND subprogram_id = 0) AS plsql_entry_object

, ( SELECT procedure_name FROM dba_procedures WHERE object_id = plsql_object_id AND subprogram_id = PLSQL_SUBPROGRAM_ID) AS plsql_entry_subprogram

, 'alter system kill session ' || '''' || s.SID || ',' || s.serial# ||',@'|| s.inst_id||''''|| ' immediate;' kill_session

from gv$session s ,gv$process p

where

s.process='32488'  --forms OS process ID

--s.program like '%frm%'

and p.addr=s.paddr

and p.inst_id = s.inst_id

;