MCX is aware that a new vulnerability has been found in Log4j: CVE-2021-45046. While this new vulnerability is not critical, its description may indicate that Oracle's provided solution to the original issue (CVE-2021-44228) may not be correct and/or complete. However, the news is still so fresh that Oracle has not yet been able to publish any updates on MOS.
Customers with environments that are accessible for the entire internet have already been informed of this development by MCX. Advice has been given to temporarily restrict access to these environments or to take them completely offline. Some of the customers have implemented a possible fix.
As soon as Oracle provides updates, we will inform our customers the usual way.
On My Oracle Support note 2827611.1 a list is created of patches that are available for the products affected by Log4Shell. At this moment (10am) only two products have patches available. Oracle E-Business Suite and PeopleSoft are not yet on that list. When more information becomes available we will inform you.
On December 11th, 2021, Oracle has posted a vulnerability on their website, named as Log4Shell, which is applicable to Apache Log4j. At this moment (11-12-2021, 12.30) nog patch is applicable. MCX stays on top of the news. When a patch becomes available, MCX will create an impact analysis and will inform impacted customers for further follow-up. The intrusion detection system has been updated to detect vulnerability exploitation of this bug.
If you have additional question, please contact MCX at +31 55 5260670 and ask for the Security Officer.