AMOSCA Support Alert: CVE-2021-44228 Apache Log4j vulnerability

Last week information security media reported the discovery of the critical vulnerability CVE-2021-44228 in the Apache Log4j library (CVSS severity level 10 out of 10). The vulnerability, when exploited, results in remote code execution on the vulnerable server with system-level privileges.

This bulletin serves to make our clients and other members of the Hyperion community aware of the vulnerability and outlines our understanding of the impact on users of Oracle Hyperion EPM and related products.

Oracle Products

Oracle issued a Security Alert on Friday 10^th December 2021. This Security Alert addresses CVE-2021-44228, a remote code execution vulnerability in Apache Log4j. It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

For the status of Oracle products affected by this vulnerability, please monitor the Oracle Security Blog  Security Alert Advisory – CVE-2021-44228 and related links therein. Reference should also be made to the My Oracle Support document Doc ID 2827611.1 for lists of patches available, pending, under investigation, etc.

It is our understanding that the vulnerability affects on-premise products only and not EPM Cloud.

Our summary of the effect on Hyperion EPM products as it currently (10 January 2022) stands is as follows (no change since the last update on 17 December):

• If you have ODI standalone you should urgently apply the appropriate patch. We are awaiting a response from Oracle to clarify the situation regarding ODI embedded in FDMEE
• Hyperion EPM 11.2.x users are referred to the following alerts published by Oracle on 14 December 2021:
  • Apache Log4j Security Alert CVE-2021-44228 for Oracle Enterprise Performance Management (Doc ID 2828262.1)
  • Security Alert CVE-2021-44228 Patch Availability Document for Oracle Fusion Middleware (Doc ID 2827793.1)

As of 17 December 2021, Oracle has announced that patching is not required but that mitigation steps need to be taken in respect of implementations of the following products: HFM, Planning, DRM, Tax Provision, and HPCM. These mitigation steps involve the editing of log4j*.jar files in the installed environments.

• Hyperion EPM 11.1.2.x implementations are presumed to be unaffected

Companion Products

The following companion products often used in conjunction with Hyperion EPM do not use Apache Log4j version 2.x and are therefore unaffected by this alert:

EPM Maestro Suite, MerlinXL, EPM FastTrack, Accelatis, Dodeca, Serviceware Performance (cubus outperform)

The following products have identified exposure to the vulnerability and the fix status should be followed on the links provided:

Workiva – support.workiva.com

EPMWare – Support

From the Apache side

You can track the issue on the Apache Issues site. All Log4j 2.x instances need to be upgraded to 2.15.x

AMOSCA Support Centre assistance

For further assistance, please contact the ASC Helpdesk

We will continue to update this page as appropriate. Last updated 10 January 2022.