This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

Impact of Log4j vulnerability CVE-2021-44832

skrishnamurthy
Node

‎01-05-2022 09:10 PM

Hi, Have we assessed the impact of CVE-2021-44832 to determine if Neo4j is affected? If impacted, can we get a patch for Neo4j as soon as possible? Thanks!

Labels:
0 Kudos
Reply
5 REPLIES 5

dana_canzano
Neo4j
Neo4j

‎01-06-2022 11:30 AM

see Apache Log4j Security Vulnerability and

Update January 3 on CVE-2021-44832
Log4j (2.17.1) was released on December 27th, 2021 to address the issues described in CVE-2021-44832. Neo4j DB Server is not exploitable by this vulnerability as it does not allow users to modify the log4j configuration file in the way necessary to exploit the vulnerability.

Neo4j’s current course of action on CVE-2021-44832:

We will continue looking into this issue and update with new details.
All prior guidance and recommendations around configuration property changes are still valid.
We are working towards upgrading to the latest version of Log4j (2.17.1) and targeting to release within the priority-based remediation timeframes that are outlined in Neo4j vulnerability management policy
0 Kudos
Reply

skrishnamurthy
Node
In response to dana_canzano

‎01-06-2022 12:04 PM

Thank you for the update. Do we have a rough timeline?

0 Kudos
Reply

dana_canzano
Neo4j
Neo4j
In response to skrishnamurthy

‎01-06-2022 12:20 PM

@skrishnamurthy

I might expect in next week or 2.
But given Neo4j is no impacted by the vulnerability is there a urgency?

0 Kudos
Reply

skrishnamurthy
Node
In response to dana_canzano

‎01-06-2022 12:39 PM

Thanks again. Upgrading to Log4j 2.17.1 is the recommended approach for full mitigation. Is it possible to get an update sooner?

0 Kudos
Reply

dana_canzano
Neo4j
Neo4j
In response to skrishnamurthy

‎01-06-2022 02:01 PM

@skrishnamurthy
ok but my understanding is that we need not explicitly mitigate since we are not impacted by the vulnerability.

My prior update included

Log4j (2.17.1) was released on December 27th, 2021 to address the issues described in
 CVE-2021-44832. 
Neo4j DB Server is not exploitable by this vulnerability as it does not allow users to modify 
the log4j configuration file in the way necessary to exploit the vulnerability.

and specifically Neo4j DB Server is not exploitable by this vulnerability

0 Kudos
Reply
Nodes 2022
Nodes
NODES 2022, Neo4j Online Education Summit

All the sessions of the conference are now available online

Watch replays