The installation of Oracle Standard Edition 2 includes files that have been flagged as vulnerable due to Log4j.
Files "tfa.war" and "log4j-core-2.9.1.jar" are identified within the TFA (Trace File Analyzer) directories of the database installation.
The installation process followed the standard procedure, utilizing response files provided by Broadcom.
The file paths for the identified vulnerable files are as follows:
\oracle\product\19.3.0.0\db_1\suptools\tfaelease\tfa_home\jlib\tfa.war
\oracle\product\19.3.0.0\db_1\suptools\tfaelease\tfa_home\jlib\log4j-core-2.9.1.jar
This situation indicates that the Log4j vulnerability persists even after the application of the latest CPU, raising concerns about the effectiveness of the security measures in place.
15.8 MP2,16.0 and 16.0 RU1 with Oracle Standard Edition.
The files "tfa.war" and "log4j-core-2.9.1.jar" are not vulnerable .
Their presence doesn't expose any security issues. Although Oracle offers a newer version of TFA, it's important to note that TFA is not utilized by the DLP product or Oracle SE2 database, ensuring that Log4j is not executed in DLP implementations.
Oracle strongly advises against removing these files, even if they are flagged, as it may disrupt the patch history and cause issues with installing patches for components actually used by the Oracle database.
Customers are advised to categorize this as a false positive.