Log4J CVE Mitigation for Neo4j

michael.hunger · December 11, 2021, 2:05pm

Hi Everyone,

We are writing to alert you of a potential vulnerability issue - CVE-2021-44228

The issue impacts Neo4j version 4.2+.

Versions 4.0 and 4.1 use slf4j-log4j12 and are not impacted.

Version 4.2 introduces using log4j2

neo4j/neo4j/blob/4.2/pom.xml#L140


      
            <mockito.version>3.5.13</mockito.version>
            <opencypher.version>1.0.0-M15</opencypher.version>
            <caffeine.version>2.8.5</caffeine.version>
            <required.maven.version>3.5.4</required.maven.version>
            <jackson.version>2.13.4</jackson.version>
            <jackson-databind.version>2.13.4.2</jackson-databind.version>
            <amazon-sdk.version>1.12.301</amazon-sdk.version>
            <guava.version>29.0-jre</guava.version>
            <awaitility.version>4.0.3</awaitility.version>
            <!--    Be careful when updating Log4j version. We have workarounds for problems with shading/plugin handling
                    in Log4jPluginLoadingWorkaround that must be verified to still work after bumping the version. -->
            <log4j.version>2.17.1</log4j.version>
            <slf4j.version>1.7.30</slf4j.version>
            <neo4j-java-driver.version>4.2.9</neo4j-java-driver.version>
            <skip-scalastyle>false</skip-scalastyle>
          </properties>
          
          
<modules>
            <module>annotations</module>
            <module>build-resources</module>
            <module>community</module>

We are working on a fix in 4.2 and up (Neo4j versions 4.3 and 4.4),

Meanwhile please use the configuration setting in your $PATH_TO_NEO4J/conf/neo4j.conf or /etc/neo4j/neo4j.conf. (That is also the case for Neo4j Desktop)

dbms.jvm.additional=-Dlog4j2.formatMsgNoLookups=true

dbms.jvm.additional=-Dlog4j2.disable.jmx=true

which mitigates the problem.

A restart will be required for the configuration property change to be read and applied.

In Neo4j Sandbox the issue has already been addressed for new sandboxes.

In Neo4j AuraDB the issue has also been mitigated.

The docker images have also been updated with a config setting disabling jmx.

Cheers, Michael

michael.hunger · December 14, 2021, 11:21pm

Update:

We now have an official page with ongoing updates here

New releases are out, which upgraded the log4j dependency to a non-vulnerable version (2.15.0)
also on DockerHub

4.4.1
4.3.8
4.2.12

Please upgrade to these new releases

If you can not upgrade use the mentioned mitigation.

For a more drastic mitigation you can also remove the JndiLookup class from the neo4j-logging.jar
Might need to install zip first on your systems.

zip -q -d /usr/share/neo4j/lib/neo4j-logging-4*.jar org/neo4j/logging/shaded/log4j/core/lookup/JndiLookup.class

michael.hunger · December 18, 2021, 1:18pm

The new security page for the log4j issue (gets ongoing updates): Apache Log4j Security Vulnerability

Recent patch releases with log4j 2.16.0 -> 4.4.2, 4.3.9, 4.2.13 also for the public Docker image.

Topic		Replies	Views
Impact of Log4j vulnerability CVE-2021-44832 Server	5	988	January 6, 2022
How to fix neo4j log4j issues Operations security	3	1155	December 13, 2021
Log4j Security in Neo4j docker image Docker docker	1	436	December 16, 2021
Mitigation of Log4J CVE in spatial plugin Neo4j Developer Blog Archive neo4j-spatial	2	459	January 12, 2022
Vulnerability Log4j neo4j 4.4.32 General vulnerability	1	162	March 28, 2024

Log4J CVE Mitigation for Neo4j

Update:

Related topics