Back in December 2021, it was reported that Oracle E-Business Suite (EBS) had been exposed to multiple significant security vulnerabilities, specifically labeled as CVE-2021-44228, CVE-2021-45046, and CVE-2021-4104. The first one is a critical risk and the other two are medium risk security vulnerabilities. The first critical vulnerability is nicknamed Log4Shell and it allows attackers to potentially perform remote code execution on an application server.
The second vulnerability, CVE-2021-45046, is somewhat of an alteration of the first critical vulnerability that allows attackers to bypass protections. The third vulnerability, CVE-2021-4104, can be found in unsupported versions of Log4j that allow attackers to deserialize attacks when Log4j JMSAppender is configured, which is in charge of publishing log entries or events to the Java Message Service.
Now, before we go into why that bit of information is critical to the modernization of your Oracle EBS security, let’s first discuss what Log4j is.
Log4j is a Java-based utility for logging that is part of the Apache Logging Services. Log4j is only one of several Java logging frameworks but it has now garnered a reputation for being an obscure and nearly ubiquitous piece of software that is used to “go under the hood” of several software systems, which was the case for Oracle EBS security.
Jen Easterly of the US Cybersecurity and Infrastructure Security Agency referred to the Log4j security flaw as “the most serious vulnerability” she’s seen in her decades-long career, calling out business and application leaders to ensure they are protected against this vulnerability.
What Makes Log4j So Harmful?
Well, the security flaw records events and communicates what’s known as diagnostic messages aboud said records to system administrators and users. For example, imagine you type or click on a bad link and get a 404 error message. The event is recorded in a log for the system admins using Log4j, and what’s truly concerning, is the far-reaching extent to which Log4j is exposed to. Logging is a fundamental part of most software, making Log4j very widespread.
Within this context, hackers have a wealth of opportunities and plenty of surface attack areas to choose from. Hackers are constantly on the prowl for vulnerable servers or systems to remotely attack and control.
Hackers are abusing the Log4j vulnerability in the form of ransomware, mining bitcoin, gaining access to unauthorized and sensitive information from geopolitical rivals, and many more, as people are still identifying new ways to wreak havoc using Log4j.
Now, what does the Log4j security flaw mean in Oracle EBS security? The popular Java logging library is installed in Oracle EBS environments, meaning that vulnerabilities associated with Log4j are easily exploitable in the Oracle EBS environment as well as Oracle EBS customizations, security patches, and third-party integrations, all depending on the version of Oracle EBS clients are running.
Back in December 15, 2021, Oracle announced that it changed the remediation and disclosed the most recent Log4j security vulnerabilities which was CVE-2021-45046, all because the initial recommended fix was not entirely complete.
The Log4j library is present in Oracle EBS versions 12.0 through 12.2.10, which was released in September 2020. Last year, in November 2021, Oracle announced version 12.2.11 packed with new innovations and patches that further protected the software instance.
Vulnerable versions of the Log4j library are loaded in some Oracle EBS web app Java containers for all environments but an exploitable attack vector is yet to be directly discovered in Oracle EBS security. Still, the primary cause of concern is customer customizations or third-party integrations or Oracle EBS add-ons that may be using the Log4j library.
The recommendations are that all Oracle EBS clients review their customizations to ensure Log4j is not lurking in there and to review all Oracle EBS third-party products that integrate with the EBS web application, as there’s plenty of potential for vulnerability exploitation via customizations and third-party integrations.
Ultimately, the best course of action to ensure the safety of your Oracle EBS application is that you are upgraded and patched to the latest version of release 12.2.x.