IFS10 MWS patches

Hi ​@NovJohanL 

The solution ID 312399 is for Oracle Critical Patch Updates for Middle Tier - 2025 October. 

More details on this can be found from: Oracle Critical Patch Update Advisory - October 2025

Following are the files that have changed from this solution ID.

• mws.jar.001
• mws.jar.002
• mws.jar.003
• mws.jar.004
• mws.jar.005
• mws.jar.006
• mws.jar.007
• mws.jar.008
• mws.jar.009
• mws.jar.010
• mws.jar.011
• mws.jar.012
• mws.jar.013
• mws.jar.014
• mws.jar.015
• mws.jar.016
• mws.jar.017
• mws.jar.018
• mws.jar.019
• mws.jar.020
• mws.jar.021
• mws.jar.022
• mws.jar.023
• mws.jar.024
• mws.jar.025
• mws.jar.026
• mws-java.tar.gz

Therefore, log4j.jar and commons-text-1.1.jar files are not changed from this.

Also, can you mention the vulnerabilities identified from those files (log4j.jar and commons-text-1.1.jar)?

Thanks for replying Ashen!
Yes, common-text-1.1.jar is also there.
There is an older patch (don’t remember the ID now) specifically for handling log4j, can this be installed above  IFS Solution ID 312399?
What would be the best way to be up to date with MWS security patches?

Regards

Johan

The solution ID 311165 (Binary patch 10.26.28.0 delivered) is related with WebLogic (Log4j) security vulnerability for post go live of UPD21 in Apps 10.

This Binary patch 10.26.28.0 is the latest one delivered at the moment.

The latest UPD contains the latest MWS security patches.

So if I understand you correctly, there should be no vulnerable file left on the server after installation of 311165, but 312399 that we got and installed did not touch files related to log4j?

br
Johan

The solution ID 312399 is for Oracle Critical Patch Updates for Middle Tier - 2025 October & the solution ID 311165 (Binary patch 10.26.28.0 delivered) is related with WebLogic (Log4j) security vulnerability for post go live of UPD21 in Apps 10.

Those 02 are two separate solution IDs which addresses 02 aspects of the IFS Application.

The log4j.jar and commons-text-1.1.jar files are not changed from solution ID 312399. 

I recently worked a case for another customer which found various log4j.jar files in some of its mws directories.  Research revealed the following about that customer’s situation:

• They ran App 10 hosted on-premise and maintained their own Oracle database in-house as well
• They applied UPD 27 and began to detect the log4j files after that deployment
• It turned out they’d been running Oracle 19c, the core version, on their database server but hadn’t applied any maintenance patches since 19c’s initial installation
• We (IFS Unified Support) advised them to do the following:
  • make sure they were current on their Oracle CPU updates for middle tier and database
  • they could safely disregard .jar files found in their middleware home’s \tmp directories since those were not relied on by App 10 

The customer contact then asked whether or not it would be safe for them to remove log4j.jar files from \tmp subdirectories of the mws home.  After internal correspondence we responded that, yes, it would be safe to remove such files (but only from those \tmp subdirectories) provided the mws server processes had been stopped first.  An outage would therefore be necessary to do the following:

1) run Stop_All_Servers.cmd script to shut down the middleware activity
2) delete the file from the directory where the .jar file is located
3) run Start_All_Servers.cmd script to restart the middleware activity
4) re-check the directory from which the .jar file was removed to make sure it was not spontaneously recreated

We also advised them to apply the Oracle CPU updates to both middleware home and their Oracle home as they were behind schedule in doing so.