Skip to Main Content

Oracle Database Discussions

Can I delete $ORACLE_HOME/md/property_graph/lib/log4j-core-2.9.0.jar file?

We have a bit of a predicament, we are on 18c on Oracle Linux 7 and seems that Oracle will not be releasing any new patches for this release. We have a plan to upgrade to 19c, but that will take a few months to accomplish. Security scans flagged $ORACLE_HOME/md/property_graph/lib/log4j-core-2.9.0.jar file as a vulnerability with the recent announcement from apache. $ORACLE_HOME/md/... directory seems to be related to spatial or locator options, we don't use either one. Can we just delete this file? I've got a SR open with Oracle support, but they are just pointing to the "Apache Log4j Security Alert CVE-2021-44228 Products and Versions ( Doc ID 2827611.1 )" document. It states that db is not affected by this vulnerability, but security tools don't like the presence of that file.

This post has been answered by user13297735 on Dec 16 2021
Jump to Answer
Post Details
Added on Dec 15 2021