Log4j Vulnerability

Some users have raised concerns about the recently reported vulnerability in Apache Log4j (CVE-2021-44228), a widely used Java logging library.

Please see Bentley's security update here: https://communities.bentley.com/products/w/products__wiki/57356/bentley-security-update-december-2021

Our Managed Service users should not be affected - the servers have been checked and are safe.

For on-premise users, to find out if you would be affected, check the following:

CVE-2021-44228 Apache Log4j — oracle-mosc

  • If you find log4j-1.x*jar you are not affected
  • If you find log4j-2.x*jar you may be affected

Exor 4700 and 4800 systems should be unaffected as Oracle 11g uses a lower release.

For Exor 4900 there is a mitigation for Fusion 12.2.1.4. Please follow the instructions given in Security Alert CVE-2021-44228 Patch Availability Document for Oracle Fusion Middleware (Doc ID 2827793.1).

There is more information about the security alert in the following links:

Security Alert CVE-2021-44228 blog
Oracle Security Alert Advisory - CVE-2021-44228
NOTE:1074055.1 - Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products 
NOTE:2827611.1 - Apache Log4j Security Alert CVE-2021-44228 Products and Versions