Neo4j 3.4 and earlier RCE vulnerability (neo4j-shell)

This is only relevant for you if you are running Neo4j Enterprise version 3.4 or earlier,
and may be impacted by a recent security issue that we have just identified.

Description of the problem

Security researchers have advised the Neo4j Security team that versions of Neo4j 3.4,
and earlier, are vulnerable to a Remote Code Exploit (RCE) in the Java RMI protocol.

The privileged access vulnerability can be exploited only when the shell server is enabled.

Neo4j versions earlier than 3.5 have a dependency on a library (Rhino 1.7.9) with known
Remote Code Execution (RCE) through a deserialization exploit.
An attacker can craft and serialize a malicious Java object to abuse this vulnerability,
and obtain RCE via the shell server to run their code.

Usually neo4j-shell doesn't need to be used/enabled because since Neo4j 3.0 you can use cypher-shell to connect to your neo4j server securely via the bolt protocol.

Resolution*

Neo4j recommends that users running unsupported versions of Neo4j 3.4, or earlier,
upgrade immediately to the latest supported version of Neo4j 3.5.x, or greater.

Upgrades typically require downtime on a single server, clusters support rolling
upgrades to eliminate or reduce downtime.

To mitigate exposure until an upgrade can be performed, you can close ports in your
neo4j.conf file and restart Neo4j. Set the property dbms.shell.enabled=false which
will disable the neo4j-shell component. For a cluster this config setting must be
applied on each cluster member and a rolling restart should be used to apply the
configuration changes without system downtime.

For more information on the Neo4j configuration, see:

https://neo4j.com/docs/operations-manual/3.4/configuration/ports/

If the neo4j-shell cannot be disabled because of a dependency in your system,
then port 1337 should be shut off at your firewall so that only trusted
users/applications within your network can access the service.

Cheers, Michael

3 Likes