I have been asked to check our db for the log4j vulnerability. The information on the web is a little confusing but it is my understanding if you have Log4j.jar or log4j.bin you need to remediate these issues and it is not just Apache. So I did a search on my db and found:
/u01/app/oracle/product/19.0.0/dbhome_1/suptools/tfa/release/tfa_home/jlib/log4j-core-2.9.1.jar
/u01/app/oracle/product/19.0.0/dbhome_1/md/property_graph/lib/log4j-core-2.11.0.jar
So my question is are these vulnerabilities? What is the best way to fix these?
Thank you
From my research I found the following post which answered my question. It was on community.oracle.com/tech/developers so I will consider it gospel.
The files are there because Oracle has them as part of the library. It doesn't mean that Oracle is using them. Log4j is vulnerable only while being used/while running. Since Oracle DB does not use it the vulnerability is not exploitable and it’s safe leaving those files in the server.
As of now Oracle doesn’t recommend deleting those jar files either.