cancel
Showing results for 
Search instead for 
Did you mean: 

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

Impact of Log4j vulnerability CVE-2021-44832

Hi, Have we assessed the impact of CVE-2021-44832 to determine if Neo4j is affected? If impacted, can we get a patch for Neo4j as soon as possible? Thanks!

5 REPLIES 5

see Apache Log4j Security Vulnerability and

Update January 3 on CVE-2021-44832
Log4j (2.17.1) was released on December 27th, 2021 to address the issues described in CVE-2021-44832. Neo4j DB Server is not exploitable by this vulnerability as it does not allow users to modify the log4j configuration file in the way necessary to exploit the vulnerability.

Neo4j’s current course of action on CVE-2021-44832:

We will continue looking into this issue and update with new details.
All prior guidance and recommendations around configuration property changes are still valid.
We are working towards upgrading to the latest version of Log4j (2.17.1) and targeting to release within the priority-based remediation timeframes that are outlined in Neo4j vulnerability management policy

Thank you for the update. Do we have a rough timeline?

@skrishnamurthy

I might expect in next week or 2.
But given Neo4j is no impacted by the vulnerability is there a urgency?

Thanks again. Upgrading to Log4j 2.17.1 is the recommended approach for full mitigation. Is it possible to get an update sooner?

@skrishnamurthy
ok but my understanding is that we need not explicitly mitigate since we are not impacted by the vulnerability.

My prior update included

Log4j (2.17.1) was released on December 27th, 2021 to address the issues described in
 CVE-2021-44832. 
Neo4j DB Server is not exploitable by this vulnerability as it does not allow users to modify 
the log4j configuration file in the way necessary to exploit the vulnerability.

and specifically Neo4j DB Server is not exploitable by this vulnerability