By Clemens Bleile
To address the log4j-vulnerability I recently had to fix the Oracle Enterprise Manager 13.4.-installation for a customer.
REMARK: Please check the following link for details concerning the log4j-vulnerability and how Oracle is affected:
and the following MOS Notes:
– Impact of December 2021 Apache Log4j Vulnerabilities on Oracle Products and Services (CVE-2021-44228, CVE-2021-45046) (Doc ID 2827611.1)
– Impact of December 2021 Apache Log4j Vulnerabilities on Oracle on-premises products (CVE-2021-44228, CVE-2021-45046) (Doc ID 2830143.1)
– Security Alert For CVE-2021-44228,CVE-2021-45046 & CVE-2021-45105 Patch Availability Document for Oracle Enterprise Manager Cloud Control (Doc ID 2828296.1)
REMARK: The link and the MOS Notes were correct at the time of writing the Blog. But this may have changed in the meantime.
According the latter MOS Note the following has to be patched on OEM 13.4.:
1. Patch WLS to OCT 2021: Patch 33412599
unzip p33412599_122130_Generic.zip cd 33412599 emctl stop oms -all opatch apply emctl start oms
REMARK: Patch 33691226 (12.2.1.3) is not applicable to EM Cloud Control 13c (13.4). See MOS Note “Security Alert CVE-2021-44228 / CVE-2021-45046 Patch Availability Document for Oracle WebLogic Server and Fusion Middleware (Doc ID 2827793.1)”.
2. Apply Patch 33672721 on OMS Middleware HOME (DB Plugin Home Patch)
unzip p33672721_134100_Generic.zip cd 33672721 emctl stop oms export PATH=$ORACLE_HOME/OMSPatcher:$PATH omspatcher apply emctl start oms
During the patching of WLS with the OCT 2021 patch, the opatch utility did hang:
/home/oracle/cbleile/log4j_patch_for_OEM/33412599/ [oms13c] opatch apply ... OPatch detects the Middleware Home as "/u01/app/oracle/middleware134" Verifying environment and performing prerequisite checks...
Using
ps -ef | grep opatch
I could see a hanging fuser-command. The reason for the hang was a stale NFS-mount, because the NFS-server was down. The same would have happened with the second patch and omspatcher. To be able to continue I could force the unmount of the stale NFS-mount with the command
umount -f -l /mnt/orarepo
The hanging opatch-command could be Ctrl-C’ed and the patching repeated. opatch went through then.
REMARK: To avoid the problem in the future it’s advised to soft-mount nfs as e.g. documented in this Blog.
The whole problem with opatch and fuser has also been documented here. In that Blog an alternative workaround has been provided by using a fake-fuser-command through the property_file option of opatch.
Finally everything could be patched successfully and I verified everything is OK with the Enterprise Manager 13.4.-installation:
/home/oracle/ [oms13c] opatch lspatches | grep 33412599 33412599;WLS PATCH SET UPDATE 12.2.1.3.210929 /home/oracle/ [oms13c] opatch lspatches | grep 33672721 33672721;Fix for bug 33672721
![Thumbnail [60x60]](https://www.dbi-services.com/blog/wp-content/uploads/2022/11/CBL_web-min-min-scaled.jpg)
![Thumbnail [90x90]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/JDU_web-min-scaled.jpg)
![Thumbnail [90x90]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/ALN_web-min-scaled.jpg)