What version of log4j do I have?

Hello, good morning. Because of the recently detected vulnerabilities, how can I know which version of log4j is using the Neo4j Desktop tool?

Hello @maria-paz.gutierrez and welcome to the Neo4j community :slight_smile:

You can find all information here.

Regards,
Cobra

Thank you.
But this is not the information I was requesting.
What I need to know is how to check the version I have of log4j. If there is any instruction to see it.

In the link I sent you, it says:

If you’re running Neo4j Desktop 1.4.10 or earlier you should install the updated version 1.4.11 immediately.

It doesn't say which version but depending on the version of Neo4j Desktop, you will know if you have to update or not.

Thank you very much.
I have Neo4j Desktop version - 1.4.12. Please can you confirm that the version of log4j running is 2.17.1?
That's what I understood by accessing the page you indicate.

The version 1.4.11 use 2.17.1 so the version 1.4.12 must use the version >= 2.17.1.

I still recommend you to update Neo4j Desktop each time there is an update available like this you will be sure to have the latest protection available.

1 Like

Thank you very much. That's what I needed to know.
Thank you for your prompt attention.

It seems that the installed versions of databases used within neo4j desktop contains jar files with log4j.
Iam not sure when upgrading neo4j desktop also upgrades the databases used within neo4j desktop projects.

Is it necesary to also update de databases within neo4j desktop?

Yours Kindly Omer.

Hello @omerule I am not an expert in administration, but I can tell you what I did in my databases.
I have added a "patch" in the neo4j.conf files before that ver. that did not have these lines yet:

  • dbms.jvm.additional=-Dlog4j2.formatMsgNoLookups=true
  • dbms.jvm.additional=-Dlog4j2.disable.jmx=true

You can see the page @Cobra pointed me to in his message.
Regards

1 Like