UPDATE (21-dec-21) Last week we informed you about the serious Log4j 2 vulnerability CVE-2021-44228. A lot of suppliers have supplied patches to fix the vulnerability that need to be installed.
For JD Edwards Oneworld environments: We have investigated the impact noticed that Apache Log4j version 2 is not used in default Oracle Weblogic Server installations, but can contain some Apache Log4j version 2 jars.
These jar files can be found in the directory: ORACLE_HOME/oracle_common/modules/thirdparty
Meanwhile, Oracle confirmed the use of the Apache Log4J vulnerability in Oracle WebLogic Server – Version 12.2.1.3.0 to 14.1.1.0.0
We recommend applying the Oracle WebLogic Server patch to upgrade the Log4j packages and mitigate the vulnerabilities. Use the following Patch set update to update the Apache Log4j version 2 libraries:
If you need assistance or guidance, please reach out to support@steltix.com

_____________________________________________

We know that a lot of suppliers are working hard on fixing the new and serious Log4j 2 vulnerability CVE-2021-44228, which has a 10.0 CVSS score, now going by the name Log4Shell. This vulnerability in Log4j 2, a very common Java logging library, allows remote code execution, often from a context that is easily available to an attacker. It was found in servers that allowed the commands to be typed into chat logs as these were then sent to the logger. This makes it a very serious vulnerability, as the logging library is used so widely and it may be simple to exploit. Many open source maintainers are working hard with fixes and updates to the software ecosystem.

We want to help you as much as we can in this challenging time, and we have collected as much information as possible for you here, including how to detect the CVE and potential mitigations.

On December 9, 2021, Steltix security and engineering teams received Oracle communication of the Log4j2 vulnerability (CVE-2021-44228) and initiated investigations. In combination with Oracle Services Steltix is checking if vulnerable configurations are identified. As of December 13, 2021, Steltix has observed no indicators of compromise in JD Edwards and related products, like WebLogic and Oracle Database are listed as ’Oracle products not requiring patches’.

Our Steltix Products Appshare, Transparent Logon, dropZone, APA and Version Workbench are not affected.

Please note the two linked Oracle documents. So far, we have not found anything that could impact our products or services, nevertheless, as Steltix, we are doing a more in-depth investigation. If we do find this vulnerability in our products or services, we will communicate this and fix the problem as soon as possible.