Updated 15 December 2021
These are maintenance releases, you’ll find several bug fixes available for both products.
These product updates ALSO include Apache Log4j, version 2.16.0. Note that while SQL Developer is a desktop tool and not likely to be a problem, we take these issues extremely seriously, and have updated the software within a business day of becoming aware of the issue.
You can find the other bug fixes for SQL Developer here.
SQL Developer Data Modeler version 21.4 can be found here.
What about ORDS, SQL Developer Web, and SQLcl?
These products neither use nor ship the Log4j library. They are not affected by this known security vulnerability. We are readying versions 21.4 releases for these products and should be available before we leave for the 2021 Winter Break.
26 Comments
i am unable to create a database connection whenever i tried to create it always gives an error what i do ?
Errors are important. They give us an indication of why something isn’t working. And there’s more than one connection error you can get.
If you don’t tell me what it is, and exactly what you’re trying, I can’t help you.
Are the scripts working for anyone with the latest data modeler. They stopped working for me completely. Edit anything in the script and choose Oracle Nashorn and when you hit apply, it just says Transoformation Finished, even though I know there are errrors in the script.
By any chance are you using Java 8?
After your comment I realized. It was using the JDK 1.8 version. So here is the thing the Version 21.4.1.349 is getting shipped with the JDK 1.8
java version “1.8.0_311”
Java(TM) SE Runtime Environment (build 1.8.0_311-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.311-b11, mixed mode)
And that’s what I was using. With JDK 11 its working fine –
openjdk version “11.0.8-internal” 2020-07-14
OpenJDK Runtime Environment (build 11.0.8-internal+0-adhoc..jdk11u)
OpenJDK 64-Bit Server VM (build 11.0.8-internal+0-adhoc..jdk11u, mixed mode)
I’ll continue to use that.
Hello Jeff.
I have noticed that when running sample code
set timing on
set echo on
set serveroutput on
using Oracle SQL Developer 21.2.1, 21.4.0 and 21.4.1 just after connecting to the database
the newest versions 21.4.0 and 21.4.0 running it much longer than 21.2.1, for example:
21.2.1: below 1s
21.4.0: 6s
21.4.1: 12s
However it seems that when the same code is executed again then everything backs to normal
(execution time is similar to 21.2.1 version), so it looks like that the newest versions need to warm up a little bit.
It applies to other commands as well like alter table and so on.
Best Regards.
Piotr
Is it related to this problem:
https://community.oracle.com/tech/developers/discussion/4492522/version-sql-developer-21-4-is-very-slow#latest
If yes – See first answer
Yes, disable that insight option, restart.
We’ll have a fix hopefully as soon as next week.
Yes, that worked.
Thank you for the tip.
Aren’t extensions on SQL DEVELOPER working anymore?
I have a lot of EDITOR extesions to generate SQL querys as needed but they didn’t work anymore on the last 2 versions of SQL DEVELOPER
I use the old:
MY SQL QUERY here
Sqldev extensions should still be working.
Do you have an example?
Dear team,
2 weeks after your release, we are already talking about 2.17 vs regarding log4j latest release, any update on the pipeline?
2.16 issues are a denial of Service attack vector.. But data modeler is a desktop application.
So, there’s not really an issue for our tools. No need to patch to 2.17 for SQLDev.
Hi Jeff,
Hope you can help. Been at it the whole afternoon. I could not use SQL Developer Ver 21.4.1 in Windows 7.
Ver 20.2 was the last one that worked well. Ver 21.2 didn’t work either when I tried to update before.
Details:
OS: Windows 7 Ultimate
SQL Developer: 21.4.1 (latest)
JDK: jdk1.8.0_181
Install folder: C:\sqldeveloper v.21.4.1
(20.2 is installed in a separate folder. This version works with no prob whatsoever)
Here’s the error:
Exception in thread “main” java.lang.OutOfMemoryError: unable to create new native thread
at java.lang.Thread.start0(Native Method)
at java.lang.Thread.start(Thread.java:717)
at sun.awt.AWTAutoShutdown.activateBlockerThread(AWTAutoShutdown.java:347)
at sun.awt.AWTAutoShutdown.setToolkitBusy(AWTAutoShutdown.java:262)
at sun.awt.AWTAutoShutdown.notifyToolkitThreadBusy(AWTAutoShutdown.java:145)
at sun.awt.windows.WToolkit.(WToolkit.java:254)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:442)
at java.awt.Toolkit$2.run(Toolkit.java:873)
at java.awt.Toolkit$2.run(Toolkit.java:855)
at java.security.AccessController.doPrivileged(Native Method)
at java.awt.Toolkit.getDefaultToolkit(Toolkit.java:854)
at java.awt.Toolkit.getEventQueue(Toolkit.java:1736)
at java.awt.EventQueue.isDispatchThread(EventQueue.java:1071)
at javax.swing.SwingUtilities.isEventDispatchThread(SwingUtilities.java:1366)
at oracle.ide.osgi.boot.SplashScreenImpl.SynchronizeWithEdt(SplashScreenImpl.java:529)
at oracle.ide.osgi.boot.api.SplashScreen.createInstance(SplashScreen.java:66)
at oracle.ide.osgi.boot.OracleIdeLauncher.showSplashScreen(OracleIdeLauncher.java:828)
at oracle.ide.osgi.boot.OracleIdeLauncher.main(OracleIdeLauncher.java:109)
On Windows 10 though, it worked right up. Even while using OpenJDK.
Neither Windows 7 nor OpenJDK are supported.
Hi Jeff,
But according to this:
https://www.oracle.com/tools/sqldev/sqldev-relnotes-21.4.html#sec1
–> o Oracle SQL Developer 21.4 is available for Windows 7,8,10 and Windows Server 2008/2012, Linux or Mac OS X. (See full Certification)
It does say there, Windows 7, along with other OS versions.
Are you saying versions 21+ of SQL Developer won’t run on Windows 7 anymore?
Is there any workaround for that other than not using SQL Developer versions below ver 21 anymore on Windows 7 (due to the log4j concerns)?
Also, just sharing, my copy of ver 21.4.1 is running under Windows 10 using OpenJDK. Not entirely sure up to what functionalities of SQL Developer would break though, but I was able to open it, connect to a DB and run queries against the connected DB without problems (or so I think, for now).
I logged a bug to fix those, will update ASAP.
MSFT doesn’t support win7 and neither does oracle jdk8, this isn’t my decision.
Hi Jeff,
what’s new in the 21.4.1 version compared the 2.4.0 version ?
Log4j 2.16 vs 2.15
Hi Jeff,
Is there a risk of an old version used through citrix ?
The CVE exists citrix or no citrix. And we’ve been shipping this jar for years – so I’m going to say ‘yes.’ The bigger answer is that the level of risk is mostly likely VERY low. However, why gamble when you know there is a potential for problems, so we’re treating this seriously and advise customers to do the same.
What about the second flaw inthe same package ?
https://logging.apache.org/log4j/2.x/download.html
That would theoretically require a second response/mitigation…stay tuned.
Hi
It’s great that the Log4j vulnerability was tacked so quickly.
I’m using Windows Instant Client 21.3 and it seems as now there’s a versioning problem between SQL Developer and the Instant Client as I’m getting: “Incompatible version of libocijdbc[Jdbc:214000, Jdbc-OCI:213000”.
I can see that a 21.4 version of the Instant Client has been released for Linux but it doesn’t seem like a new version for Windows is out yet or I haven’t been able to find it.
Regards, Torfi
Jeff, the link for Data Modeler is not OK, you should change www-sites with just www
Thanks, all fixed now!