Background
Java programming language sometimes look like a accomplice. The Java Sandbox, which attempts to enforce a privilege model that permits safe execution of untrusted code, and is most famously used to permit the automatic execution of Java Applets in a browser.
Vulnerability details
Apache Log4j is a Java-based logging utility. Log4j is one of several Java logging frameworks. A design flaw found on Oracle products, Log4j has possibility then let vulnerabilities remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
Sample of using the Log4j Library
public class Jangles {
private static Log log = LogFactory.getLog(Jangles.class);
Public static void main(String[] args){
log.info("This is a testing message.");
if(log.isDebugEnabled()){
log.debug("This is a testing message.");
}
}
}
Above sample will enable Log4j to control the output of other libraries which use Apache Commons Logging like the Java Caching System.
So, do you think this is the root causes hits the vulnerability?
Perhaps this vulnerability reference number go back 2017. However Oracle Critical Patch Update Advisory on July 2018 still has status update of this vulnerability. If you are the Oracle product user, you must stay alert. You should stay alert!
Vulnerability detail:
This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
Official announcement hyperlink shown as below:
Oracle Critical Patch Update Advisory – July 2018 – http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixEM
Affected Products version and vulnerability details :
| CVE | Product | Component | Remote Exploit without Auth.? | Base score | Supported Versions Affected |
| CVE-2017-5645 | Enterprise Manager Base Platform | Installer (Apache Log4j) | Yes | 9.8 | 12.1.0.5, 13.2.x |
| CVE-2017-5645 | Enterprise Manager Base Platform | Security Framework (Apache Log4j) | Yes | 9.8 | 12.1.0.5, 13.2.x |
| CVE-2017-5645 | Enterprise Manager for Fusion Middleware | Application Replay (Apache Log4j) | Yes | 9.8 | 12.1.0.5, 13.2.x |
| CVE-2017-5645 | Enterprise Manager for Fusion Middleware | FMW Plugin for CC (Apache Log4j) | Yes | 9.8 | 12.1.0.5, 13.2.x |
| CVE-2017-5645 | Enterprise Manager for MySQL Database | EM Plugin: General (Apache Log4j) | Yes | 9.8 | 13.2.2.0.0 and prior |
| CVE-2017-5645 | Enterprise Manager for Oracle Database | Provisioning (Apache Log4j) | Yes | 9.8 | 12.1.0.8, 13.2.2 |
| CVE-2017-5645 | Enterprise Manager for Peoplesoft | PSEM Plugin (Apache Log4j) | Yes | 9.8 | 13.1.1.1, 13.2.1.1 |
| CVE-2017-5645 | Oracle Banking Platform | Collections (Apache Log4j) | Yes | 9.8 | 2.6.0, 2.6.1, 2.6.2 |
| CVE-2017-5645 | Oracle Financial Services Analytical Applications Infrastructure | Infrastructure (Apache Log4j) | Yes | 9.8 | 7.3.3.x, 8.0.x |
| CVE-2017-5645 | Oracle Financial Services Behavior Detection Platform | Ingestion (Apache Log4j) | Yes | 9.8 | 8.0.x |
| CVE-2017-5645 | Oracle Financial Services Funds Transfer Pricing | Logging (Apache Log4j) | Yes | 9.8 | 6.1.1, 8.0.x |
| CVE-2017-5645 | Oracle Financial Services Hedge Management and IFRS Valuations | Logging (Apache Log4j) | Yes | 9.8 | 8.0.4, 8.0.5 |
| CVE-2017-5645 | Oracle Financial Services Loan Loss Forecasting and Provisioning | Logging (Apache Log4j) | Yes | 9.8 | 8.0.4, 8.0.5 |
| CVE-2017-5645 | Oracle Financial Services Profitability Management | Logging (Apache Log4j) | Yes | 9.8 | 6.1.1, 8.0.x |
| CVE-2017-5645 | Oracle Enterprise Data Quality | General (Apache Log4j) | Yes | 9.8 | 12.2.1.3.0 |
| CVE-2017-5645 | Oracle Fusion Middleware MapViewer | Install (Apache Log4j) | Yes | 9.8 | 12.2.1.2, 12.2.1.3 |
| CVE-2017-5645 | MySQL Enterprise Monitor | Service Manager (Apache Log4j) | Yes | 9.8 | 3.4.7.4297 and prior, 4.0.4.5235 and prior, 8.0.0.8131 and prior |
| CVE-2017-5645 | PeopleSoft Enterprise FIN Install | Security (Apache Log4j) | Yes | 9.8 | 9.2 |
| CVE-2017-5645 | Oracle Policy Automation | Determinations Engine (Apache Log4j) | Yes | 9.8 | 10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10 |
| CVE-2017-5645 | Oracle Policy Automation Connector for Siebel | Core (Apache Log4j) | Yes | 9.8 | 10.4.6 |
| CVE-2017-5645 | Oracle Policy Automation for Mobile Devices | Core (Apache Log4j) | Yes | 9.8 | 10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10 |
| CVE-2017-5645 | Oracle Retail Clearance Optimization Engine | General Application (Apache Log4j) | Yes | 9.8 | 14.0.5 |
| CVE-2017-5645 | Oracle Retail Financial Integration | PeopleSoft Integration Bugs (Apache Log4j) | Yes | 9.8 | 13.2.x, 14.0.x, 14.1.x, 15.0.x, 16.0.x, 16.0.x |
| CVE-2017-5645 | Oracle Retail Integration Bus | RIB Kernal (Apache Log4j) | Yes | 9.8 | 12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.0 14.1.0, 15.0, 16.0 |
| CVE-2017-5645 | Oracle Retail Predictive Application Server | RPAS Fusion Client (Apache Log4j) | Yes | 9.8 | 15.0.3 |
| CVE-2017-5645 | Oracle Retail Service Backbone | Install (Apache Log4j) | Yes | 9.8 | 14.0.x, 14.1.x, 15.0.x, 16.0.x |
| CVE-2017-5645 | Oracle Retail Service Layer | Installation (Apache Log4j) | Yes | 9.8 | 12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.x |
| CVE-2017-5645 | Oracle AutoVue VueLink Integration | Installation Issues (Apache Log4j) | Yes | 9.8 | 21.0.0, 21.0.1 |
| CVE-2017-5645 | Oracle Utilities Network Management System | Logging (Apache Log4j) | Yes | 9.8 | 1.12.x, 2.3.x |
| CVE-2017-5645 | Oracle Utilities Work and Asset Management | Logging (Apache Log4j) | Yes | 9.8 | 1.9.1.2.12 |