The SQL Developer shipped with OEM 13c (13.4.1.0.0 and later) includes Apache Log4j 1.x and 2.x, which is scanned out with following vulnerabilities
Log4j 2.x :CVE-2021-45046, CVE-2021-44228, CVE-2021-44832, CVE-2021-45105
Log4j 1.x :CVE-2021-4104, CVE-2022-23302 and CVE-2022-23305
These log4j*.jar are located under SQL Developer directory $OMS_HOME/sqldeveloper.
Since SQL Developer is no longer required by the OEM, it is safe to delete whole SQL Developer directory to comply with the listed vulnerabilites.
$ cd $OMS_HOME$ rm -rf sqldeveloper
No comments:
Post a Comment