I'm reading the security issue about log4j and I understand the this product is affected by the vulnerability. But what I would like to know if oracle client 11.2 and 12 are affected by this issue. I couldn't find if those products use any log4j dependency or any documentation saying that those products are affected or not.

Could someone please clarify to me if other oracle products are affected by this problem ? Where I can check which dependencies those clients use ?

CodePudding user response：

The link below will let you know which Oracle Products need patches for log4j.

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=128639578534085&id=2827611.1&_afrWindowMode=0&_adf.ctrl-state=hgo1qpenv_4

CodePudding user response：

That Oracle note says that patching Oracle Client isn't needed

5.0 Oracle products not requiring patches: Oracle Client [Product ID 5]

However I see log4j files in the Oracle Client 12.2 installation. ..\product\12.2.0\client_1\sqldeveloper\sqldeveloper\lib\log4j-1.2.13.jar

I'm a little bit confused...

CodePudding user response：

looks like it uses log4j version 1.2, which is not affected by the current vulnerability of log4j. That's why it is listed as no patches required.