This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

CVE-2022-42889

dev0
Node
โ€Ž10-24-2022 05:10 AM
Status: New

My team operates a neo4j installation. Recently a critical finding concerning Apache library commons-text has been published:

https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Neo4j is using this vulnerable library. When can we expect a patch?

0 Kudos
Comment
7 Comments
andrew_bowman
Neo4j
Neo4j
โ€Ž10-24-2022 11:37 AM
โ€Ž10-24-2022 11:37 AM

Hello, we are aware of this one, have fixes merged and patches pending release with the fixes.

> After investigation it was determined that Neo4j is not affected by this vulnerability as we are not using vulnerable components of affected library. However actions were taken and Apache Commons-Text library was updated as it is recommended by vendor and will be released with latest versions.

Upcoming patches 4.3.20 and 4.4.13 have updated and non-vulnerable versions of the library. I believe those are pending release within the next week or so.

GuinuxBR
Node
โ€Ž11-17-2022 05:35 AM
โ€Ž11-17-2022 05:35 AM

Hi, @andrew_bowman.

Do you know when the patched version will be launched for the Neo4j Desktop?

GuinuxBR
Node
โ€Ž11-22-2022 06:38 AM
โ€Ž11-22-2022 06:38 AM

Hello, @andrew_bowman .

I saw that Neo4j Desktop 1.5.4 was launched, however it still ships commons-text-1.9.

Will Neo4j Desktop 1.5.5 ship commons-text-1.10+?

steggy
Neo4j
Neo4j
โ€Ž11-23-2022 04:09 AM
โ€Ž11-23-2022 04:09 AM

@GuinuxBR - the commons-text comes from the version of the database, apparently - Desktop does not use it directly. The above versions of 4.x as well as the recently released Neo4j 5 (5.2 dropped on Monday) have replaced with 1.10+

GuinuxBR
Node
โ€Ž11-23-2022 07:00 AM
โ€Ž11-23-2022 07:00 AM

Hello, @steggy. Thank you for your answer.

I've downloaded the latest version of Neo4j Desktop and the version of Neo4j Enterprise (5.1.0) bundled with it still ships commons-text-1.9.

Please have a look at the below image.

Neo4j_CVE-2022-42889.png

These files are decompressed to the user profile folder when starting the software, then they are flagged by the security software.

This is why I asked if Neo4j Desktop 1.5.5 will bundle a version of Neo4j Enterprise which ship commons-text-1.10+.

steggy
Neo4j
Neo4j
โ€Ž11-23-2022 07:01 AM
โ€Ž11-23-2022 07:01 AM

V5.2 is the one with the replacement. Let me find out when that will show up in Desktop

steggy
Neo4j
Neo4j
โ€Ž11-23-2022 07:19 AM
โ€Ž11-23-2022 07:19 AM

The team indicated that if you have internet connective you should be able to download 5.2 from desktop