May 10, 2021 | Retail Pro Prism
How to Disable Log4j Libraries in Oracle Servers for Retail Pro Products
NIST announced a recent vulnerability in the Apache Log4j library, a Java library for logging error messages in applications. This has raised concern across the landscape about the impact, and more specifically, what the impact is within Retail Pro developed products.
Although our Retail Pro products do not utilize these libraries, Oracle does deploy Log4J in relation to the JRE implementation in an Oracle server. Our Oracle servers will contain several different copies of the log4j-core.jar and a single copy of the log4j-1.2.13.jar file. These are deployed by Oracle and according to documentation would not be active in an OOBE installation of Retail Pro Prism or Retail Pro 9. This article details where those libraries are located within the Oracle folder structure, and how to remove/disable them.
File Locations of the Log4j Libraries on 9.4/RIL:
[drive]:\Oracle\ODS12cr1\ccr\lib\log4j-core.jar
[drive]:\Oracle\ODS12cr1\OPatch\ocm\lib\log4j-core.jar
[drive]:\Oracle\ODS12cr1\sqldeveloper\sqldeveloper\lib\log4j-1.2.13.jar
[drive]:\Oracle\ODS12cr1\oui\jlib\jlib\log4j-core.jar
[drive]:\Oracle\ODS12cr1\sysman\jlib\ocm\log4j-core.jar
NOTE: The library below will exist on the server as well as on each Oracle client installation.
[drive]:\Oracle\ODS12cr1Cli\oui\jlib\jlib\log4j-core.jar
File Locations of the Log4j Libraries on 9.3
[drive]:\Oracle\ODS11gr1\inventory\backup\2021-12-21_12-53-46PM\Scripts\ext\jlib
[drive]:\Oracle\ODS11gr1\inventory\Scripts\ext\jlib
[drive]:\Oracle\ODS11gr1\ccr\lib
[drive]:\Oracle\ODS11gr1\oui\jlib\jlib
[drive]:\Oracle\ODS11gr1\sysman\jlib
[drive]:\Oracle\ODS11gr1\sysman\jlib\ocm
[drive]:\Oracle\ODS11gr1\oc4j\ant\lib
NOTE: The library below will exist on the server as well as on each Oracle client installation
[drive]:\Oracle\ODS11gr1Cli\sysman\jlib
[drive]:\Oracle\ODS11gr1Cli\oui\jlib\jlib
Remove / Disable the Log4j Libraries
To safely disable these libraries simply browse to the locations listed above. Locate the file(s) indicated and change the extension of the file from .JAR to .BAK. Do this on all server and workstation systems where the files exist.