February 28, 2023
Over a year ago, the critical Java vulnerability Log4shell was disclosed. While OneStream XF® does not use Log4j, Oracle® was directly affected with several products, including versions of Hyperion and Essbase. We were able to respond to it with our mitigation tool within 3 days of it becoming known, before the software vendors followed suit with updates.
Since Log4j is used in very many software products and may be implemented under a different name (since open source), we continue to advise updates to your business critical software alongside your EPM/CPM applications. Java is also used for industrial, medical and other specialized equipment.
For questions and problems related to Log4j, contact our support.
17 December 2021
We have written a tool that searches for the Log4shell vulnerability in your business application and corrects it automatically. This is now available for download. If you have any questions, please contact our support. If you wish, we can also take over the application of the tool for you.
16 December 2021
We have removed the affected Java class in all hosted Hyperion environments. In addition, a filter is active in the intrusion prevention system that would prevent outgoing network connections from exploiting this vulnerability.
We have written a tool that searches for the Log4shell vulnerability and corrects it automatically. We expect to make this available for download from Friday 17 December. The procedure is as follows:
If you wish, we can take over the application of the tool for you. Please contact our support for this. The time required is ±1h per environment.
15 December 2021 /2
The following products, often used in conjunction with Oracle® Hyperion, do not use Apache Log4j version 2.x and are therefore not affected by the vulnerability: EPM Maestro Suite, MerlinXL, EPM FastTrack, Accelatis, Dodeca, Serviceware Performance (cubus outperform)
15 December 2021
Last Friday, the critical Java vulnerability Log4shell became known. Attackers can exploit this flaw in the Log4j code library, which is embedded in countless software products worldwide, to execute the system code of their choice.
While Log4j is not used in OneStream XF®, Oracle® has published a list of its products that are specifically affected by the Log4shell vulnerability or are currently being investigated for it as of 10 December. According to this list, Oracle® Hyperion and Essbase are also affected if Log4j versions 2.0-2.14.1 are used. The versions 1.x do not contain the bug, which is why the product versions Hyperion Financial Management 11.1.2.4 and Hyperion Financial Reporting 11.1.2.4 are not affected.
Hyperion 11.2.5.0.000 using Fusion Middleware 12.2.1.4 and the log4j*.jar version used is 2.10 or higher. Details in Oracle Security Alert Advisory - CVE-2021-44228 (see below).
DRM
EPMA
Essbase
We will inform you as soon as a pending patch becomes available.
Platform Security for Java
Oracle HTTP Server
Oracle WebLogic Server
Manufacturer information:
Oracle Security Alert Advisory - CVE-2021-44228 https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
Oracle Support Article "Apache Log4j Security Alert CVE-2021-44228" (Doc ID 2827611.1) https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2827611.1
We continue to monitor the development and inform as soon as updates for the individual products are available. If you would like to be notified, simply subscribe to our newsletter.
With every Oracle/OneStream EPM update, the release notes with our professional assessment directly to your mailbox:
