Have you heard CVE-20170-5645? Oracle critical patch update advisory – July 2018.

Background

Java programming language sometimes look like a accomplice. The Java Sandbox, which attempts to enforce a privilege model that permits safe execution of untrusted code, and is most famously used to permit the automatic execution of Java Applets in a browser.

Vulnerability details

Apache Log4j is a Java-based logging utility. Log4j is one of several Java logging frameworks. A design flaw found on Oracle products, Log4j has possibility then let vulnerabilities remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Sample of using the Log4j Library

public class Jangles {

private static Log log = LogFactory.getLog(Jangles.class);
Public static void main(String[] args){
log.info("This is a testing message.");
if(log.isDebugEnabled()){
log.debug("This is a testing message.");
}
}
}

Above sample will enable Log4j to control the output of other libraries which use Apache Commons Logging like the Java Caching System.
So, do you think this is the root causes hits the vulnerability?

Perhaps this vulnerability reference number go back 2017. However Oracle Critical Patch Update Advisory on July 2018 still has status update of this vulnerability. If you are the Oracle product user, you must stay alert. You should stay alert!

Vulnerability detail:

This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Official announcement hyperlink shown as below:

Oracle Critical Patch Update Advisory – July 2018 – http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixEM

 

Affected Products version and vulnerability details :

CVE Product Component Remote Exploit without Auth.? Base score Supported Versions Affected
CVE-2017-5645 Enterprise Manager Base Platform Installer (Apache Log4j) Yes 9.8 12.1.0.5, 13.2.x
CVE-2017-5645 Enterprise Manager Base Platform Security Framework (Apache Log4j) Yes 9.8 12.1.0.5, 13.2.x
CVE-2017-5645 Enterprise Manager for Fusion Middleware Application Replay (Apache Log4j) Yes 9.8 12.1.0.5, 13.2.x
CVE-2017-5645 Enterprise Manager for Fusion Middleware FMW Plugin for CC (Apache Log4j) Yes 9.8 12.1.0.5, 13.2.x
CVE-2017-5645 Enterprise Manager for MySQL Database EM Plugin: General (Apache Log4j) Yes 9.8 13.2.2.0.0 and prior
CVE-2017-5645 Enterprise Manager for Oracle Database Provisioning (Apache Log4j) Yes 9.8 12.1.0.8, 13.2.2
CVE-2017-5645 Enterprise Manager for Peoplesoft PSEM Plugin (Apache Log4j) Yes 9.8 13.1.1.1, 13.2.1.1
CVE-2017-5645 Oracle Banking Platform Collections (Apache Log4j) Yes 9.8 2.6.0, 2.6.1, 2.6.2
CVE-2017-5645 Oracle Financial Services Analytical Applications Infrastructure Infrastructure (Apache Log4j) Yes 9.8 7.3.3.x, 8.0.x
CVE-2017-5645 Oracle Financial Services Behavior Detection Platform Ingestion (Apache Log4j) Yes 9.8 8.0.x
CVE-2017-5645 Oracle Financial Services Funds Transfer Pricing Logging (Apache Log4j) Yes 9.8 6.1.1, 8.0.x
CVE-2017-5645 Oracle Financial Services Hedge Management and IFRS Valuations Logging (Apache Log4j) Yes 9.8 8.0.4, 8.0.5
CVE-2017-5645 Oracle Financial Services Loan Loss Forecasting and Provisioning Logging (Apache Log4j) Yes 9.8 8.0.4, 8.0.5
CVE-2017-5645 Oracle Financial Services Profitability Management Logging (Apache Log4j) Yes 9.8 6.1.1, 8.0.x
CVE-2017-5645 Oracle Enterprise Data Quality General (Apache Log4j) Yes 9.8 12.2.1.3.0
CVE-2017-5645 Oracle Fusion Middleware MapViewer Install (Apache Log4j) Yes 9.8 12.2.1.2, 12.2.1.3
CVE-2017-5645 MySQL Enterprise Monitor Service Manager (Apache Log4j) Yes 9.8 3.4.7.4297 and prior, 4.0.4.5235 and prior, 8.0.0.8131 and prior
CVE-2017-5645 PeopleSoft Enterprise FIN Install Security (Apache Log4j) Yes 9.8 9.2
CVE-2017-5645 Oracle Policy Automation Determinations Engine (Apache Log4j) Yes 9.8 10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10
CVE-2017-5645 Oracle Policy Automation Connector for Siebel Core (Apache Log4j) Yes 9.8 10.4.6
CVE-2017-5645 Oracle Policy Automation for Mobile Devices Core (Apache Log4j) Yes 9.8 10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10
CVE-2017-5645 Oracle Retail Clearance Optimization Engine General Application (Apache Log4j) Yes 9.8 14.0.5
CVE-2017-5645 Oracle Retail Financial Integration PeopleSoft Integration Bugs (Apache Log4j) Yes 9.8 13.2.x, 14.0.x, 14.1.x, 15.0.x, 16.0.x, 16.0.x
CVE-2017-5645 Oracle Retail Integration Bus RIB Kernal (Apache Log4j) Yes 9.8 12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.0 14.1.0, 15.0, 16.0
CVE-2017-5645 Oracle Retail Predictive Application Server RPAS Fusion Client (Apache Log4j) Yes 9.8 15.0.3
CVE-2017-5645 Oracle Retail Service Backbone Install (Apache Log4j) Yes 9.8 14.0.x, 14.1.x, 15.0.x, 16.0.x
CVE-2017-5645 Oracle Retail Service Layer Installation (Apache Log4j) Yes 9.8 12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.x
CVE-2017-5645 Oracle AutoVue VueLink Integration Installation Issues (Apache Log4j) Yes 9.8 21.0.0, 21.0.1
CVE-2017-5645 Oracle Utilities Network Management System Logging (Apache Log4j) Yes 9.8 1.12.x, 2.3.x
CVE-2017-5645 Oracle Utilities Work and Asset Management Logging (Apache Log4j) Yes 9.8 1.9.1.2.12