We are writing to alert you of a potential vulnerability issue - CVE-2021-44228
The issue impacts Neo4j version 4.2+.
Versions 4.0 and 4.1 use slf4j-log4j12 and are not impacted.
Version 4.2 introduces using log4j2
We are working on a fix in 4.2 and up (Neo4j versions 4.3 and 4.4),
Meanwhile please use the configuration setting in your
/etc/neo4j/neo4j.conf. (That is also the case for Neo4j Desktop)
which mitigates the problem.
A restart will be required for the configuration property change to be read and applied.
In Neo4j Sandbox the issue has already been addressed for new sandboxes.
In Neo4j AuraDB the issue has also been mitigated.
The docker images have also been updated with a config setting disabling jmx.
We now have an official page with ongoing updates here
New releases are out, which upgraded the log4j dependency to a non-vulnerable version (2.15.0)
also on DockerHub
Please upgrade to these new releases
If you can not upgrade use the mentioned mitigation.
For a more drastic mitigation you can also remove the
JndiLookup class from the neo4j-logging.jar
Might need to install
zip first on your systems.
zip -q -d /usr/share/neo4j/lib/neo4j-logging-4*.jar org/neo4j/logging/shaded/log4j/core/lookup/JndiLookup.class
The new security page for the log4j issue (gets ongoing updates): Apache Log4j Security Vulnerability
Recent patch releases with log4j 2.16.0 -> 4.4.2, 4.3.9, 4.2.13 also for the public Docker image.