Addressing Log4j Vulnerability Reports in Oracle Standard Edition with DLP Installation.
search cancel

Addressing Log4j Vulnerability Reports in Oracle Standard Edition with DLP Installation.

book

Article ID: 278204

calendar_today

Updated On: 06-16-2025

Products

Data Loss Prevention

Issue/Introduction

The installation of Oracle Standard Edition 2 includes files that have been flagged as vulnerable due to Log4j.
Files "tfa.war" and "log4j-core-2.9.1.jar" are identified within the TFA (Trace File Analyzer) directories of the database installation.

The installation process followed the standard procedure, utilizing response files provided by Broadcom.
The file paths for the identified vulnerable files are as follows:

\oracle\product\19.3.0.0\db_1\suptools\tfaelease\tfa_home\jlib\tfa.war
\oracle\product\19.3.0.0\db_1\suptools\tfaelease\tfa_home\jlib\log4j-core-2.9.1.jar

This situation indicates that the Log4j vulnerability persists even after the application of the latest CPU, raising concerns about the effectiveness of the security measures in place.

Environment

15.8 MP2,16.0 and 16.0 RU1 with Oracle Standard Edition. 


Resolution

The files "tfa.war" and "log4j-core-2.9.1.jar" are not vulnerable .
Their presence doesn't expose any security issues. Although Oracle offers a newer version of TFA, it's important to note that TFA is not utilized by the DLP product or Oracle SE2 database, ensuring that Log4j is not executed in DLP implementations.

Oracle strongly advises against removing these files, even if they are flagged, as it may disrupt the patch history and cause issues with installing patches for components actually used by the Oracle database. 

Customers are advised to categorize this as a false positive.