Log4J CVE Mitigation for Neo4j -> "The docker images have also been updated with a config setting disabling jmx."

bleimehl
Node

Log4J CVE Mitigation for Neo4j

@michael.hunger says that the Docker images are updated to mitigate the problem

"The docker images have also been updated with a config setting disabling jmx."

Is that true? On dockerhub the 4.4 images are still 6 days old and the 4.3 even 10 days

https://hub.docker.com/_/neo4j?tab=tags

1 ACCEPTED SOLUTION

It seems that they had jmx access already disabled

If you do

call dbms.listConfig() yield name, value 
where name starts with "dbms.jvm.additional" 
return name, value

it shows this which includes the disabled log4j jmx -Dlog4j2.disable.jmx=true

-XX:-OmitStackTraceInFastThrow
-XX:+AlwaysPreTouch
-XX:+UnlockExperimentalVMOptions
-XX:+TrustFinalNonStaticFields
-XX:+DisableExplicitGC
-XX:MaxInlineLevel=15
-XX:-UseBiasedLocking
-Djdk.nio.maxCachedBufferSize=262144
-Dio.netty.tryReflectionSetAccessible=true
-Djdk.tls.ephemeralDHKeySize=2048
-Djdk.tls.rejectClientInitiatedRenegotiation=true
-XX:FlightRecorderOptions=stackdepth=256
-XX:+UnlockDiagnosticVMOptions
-XX:+DebugNonSafepoints
-Dlog4j2.disable.jmx=true"

View solution in original post

3 REPLIES 3

It seems that they had jmx access already disabled

If you do

call dbms.listConfig() yield name, value 
where name starts with "dbms.jvm.additional" 
return name, value

it shows this which includes the disabled log4j jmx -Dlog4j2.disable.jmx=true

-XX:-OmitStackTraceInFastThrow
-XX:+AlwaysPreTouch
-XX:+UnlockExperimentalVMOptions
-XX:+TrustFinalNonStaticFields
-XX:+DisableExplicitGC
-XX:MaxInlineLevel=15
-XX:-UseBiasedLocking
-Djdk.nio.maxCachedBufferSize=262144
-Dio.netty.tryReflectionSetAccessible=true
-Djdk.tls.ephemeralDHKeySize=2048
-Djdk.tls.rejectClientInitiatedRenegotiation=true
-XX:FlightRecorderOptions=stackdepth=256
-XX:+UnlockDiagnosticVMOptions
-XX:+DebugNonSafepoints
-Dlog4j2.disable.jmx=true"

bleimehl
Node

Thanks Michael for the clarification:

Additional hint:

if you use NEO4J_dbms_jvm_additional you will overwrite these default and you have to set them yourself

Yes I realized that only after the fact which is a bit annoying.
The other option one can use with Docker is to set this environment variable:

ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true