cancel
Showing results for 
Search instead for 
Did you mean: 

Hi Everyone,

We are writing to alert you of a potential vulnerability issue - CVE-2021-44228

The issue impacts Neo4j version 4.2+.

Versions 4.0 and 4.1 use slf4j-log4j12 and are not impacted.

Version 4.2 introduces using log4j2

We are working on a fix in 4.2 and up (Neo4j versions 4.3 and 4.4),

Meanwhile please use the configuration setting in your $PATH_TO_NEO4J/conf/neo4j.conf or /etc/neo4j/neo4j.conf. (That is also the case for Neo4j Desktop)

dbms.jvm.additional=-Dlog4j2.formatMsgNoLookups=true

dbms.jvm.additional=-Dlog4j2.disable.jmx=true

which mitigates the problem.

A restart will be required for the configuration property change to be read and applied.

In Neo4j Sandbox the issue has already been addressed for new sandboxes.

In Neo4j AuraDB the issue has also been mitigated.

The docker images have also been updated with a config setting disabling jmx.

Cheers, Michael

2 Comments