Friday, March 8, 2024

OEM 13c Log4j Vulnerabilities Security Alert for SQL Developer shipped with Oracle Enterprise Manager (OEM) Cloud Control

The SQL Developer shipped with OEM 13c ( and later) includes Apache Log4j 1.x and 2.x, which is scanned out with following vulnerabilities

  Log4j 2.x :CVE-2021-45046, CVE-2021-44228, CVE-2021-44832, CVE-2021-45105
  Log4j 1.x :CVE-2021-4104, CVE-2022-23302 and CVE-2022-23305

These log4j*.jar are located under SQL Developer directory $OMS_HOME/sqldeveloper.

Since SQL Developer is no longer required by the OEM, it is safe to delete whole SQL Developer directory to comply with the listed vulnerabilites.

$ cd $OMS_HOME
$ rm -rf sqldeveloper

No comments: