Author: JJ Millen, DBA Consultant, Namos Solutions
In light of the announcement of the ubiquitous Log4Shell vulnerability, there are many voices offering different opinions. What is clear is that action is needed. In this blog post we’ll focus on the impact to Oracle Fusion and Oracle E-Business Suite customers, we’ll put the relevant documentation at your fingertips and advise you of action taken or action required.
What has happened?
- CVE-2021-44228 aka “Log4Shell” has been announced and it is an RCE zero-day vulnerability.
- It was discovered in Apache Log4j, which is a widespread Java logging library.
- The vulnerability enables hackers to execute code on servers without authentication.
What is Log4j and why should I be worried?
Log4j is an Apache tool for recording log file entries. Vulnerabilities like this exists when proper input validation is missing. Input validation prevents the execution of code that has been deliberately constructed to fool the logging process into executing part of the string. In other words, it is a way for hackers to run any code on your server.
This type of exploit is commonly known as an RCE- Remote Code Exploit. Hackers could (and in many cases will have) gained the ability to run code at the Operating System level. This not only places extreme risk on that server, but also any servers to which it can connect. If your network level protection is not robust (eg firewalls, network separation), this vulnerability will be used by hackers as a stepping stone to exploit other weaknesses within your network.
What Oracle Products are affected?
Oracle have published a comprehensive list of affected software, which can be found here:
Apache Log4j Security Alert CVE-2021-44228 (Doc ID 2827611.1)
Risk
This vulnerability has been rated 10/10 by NIST. This is based on ease of execution and risk. In short, if you are an IT professional and you are not already taking action against this, you should be.
Unfortunately, when vulnerabilities are publicised, it is not just IT professionals who spring into action, nefarious hackers know that the window of opportunity is closing. You must take action to protect your systems.
If you ignore this, any publicly available system with this vulnerability will be compromised. It is only a matter of time.
Mitigation
Oracle Fusion
One of the significant benefits of Software-as-a-Service (SaaS) products, is the peace of mind, that the administrative overhead is executed by the experts. Shortly after the announcement, Oracle started systematically and proactively rolling out patches to Fusion environments. In contrast to self-managed systems, Oracle has minimised risk by their expeditious action. This benefit should not be underestimated. Take a moment to consider that this threat was publicised on a Friday, which left many systems vulnerable over the whole weekend.
If you are a Fusion customer, you should have already received a maintenance update. If you’re not already familiar with Fusion updates, you should review the policy here:
Oracle Applications Cloud – Fusion Applications Update Policy (Doc ID 1966109.1).
Oracle E-Business Suite
Release 12.1.3 and Release 12.2 Customers should read the following to establish whether they are vulnerable.
The E-Business Suite mitigations are detailed here:
CVE-2021-44228 Advisory for Oracle E-Business Suite (Apache log4j Vulnerabilities) (Doc ID 2827804.1).
How can Namos help you?
Namos provide robust networking systems, with a focus on robust security mechanisms with minimal impact to practicality and performance. Our systems embody the defence in depth ethos, which minimise exposure in the event of unexpected vulnerabilities.
Namos can do a review of your systems to establish if you have any remaining vulnerabilities and advise how to mitigate them and how to improve your overall security posture.
About Namos Solutions
Namos Solutions are an award-winning Oracle OPN Modernised Partner specialising in the implementation and support of ERP, EPM and HCM business solutions, both in the Cloud and on-premise.
Although based in central London, we work wherever our clients need us to be. Many leading organisations located all over the world trust and rely on our expertise to deliver industry-leading business solutions. Namos customers can currently be found in the UK, Europe, Middle East, Asia Pacific, North America and Africa.
For more information, please visit www.namossolutions.com or email info@namossolutions.com.
Follow Namos Solutions at LinkedIn and Twitter.