Log4J CVE Mitigation for Neo4j

michael.hunger · December 14, 2021, 11:21pm

Update:

We now have an official page with ongoing updates here

New releases are out, which upgraded the log4j dependency to a non-vulnerable version (2.15.0)
also on DockerHub

4.4.1
4.3.8
4.2.12

Please upgrade to these new releases

If you can not upgrade use the mentioned mitigation.

For a more drastic mitigation you can also remove the JndiLookup class from the neo4j-logging.jar
Might need to install zip first on your systems.

zip -q -d /usr/share/neo4j/lib/neo4j-logging-4*.jar org/neo4j/logging/shaded/log4j/core/lookup/JndiLookup.class

Topic		Replies	Views
How to fix neo4j log4j issues Operations security	3	1204	December 13, 2021
Vulnerability Log4j neo4j 4.4.32 General vulnerability	1	189	March 28, 2024
Log4j Security in Neo4j docker image Docker docker	1	484	December 16, 2021
Impact of Log4j vulnerability CVE-2021-44832 Server	5	1052	January 6, 2022
Log4J CVE Mitigation for Neo4j -> "The docker images have also been updated with a config setting disabling jmx." Server	3	812	December 13, 2021

Log4J CVE Mitigation for Neo4j

Update:

Related topics