This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

Log4J CVE Mitigation for Neo4j -> "The docker images have also been updated with a config setting disabling jmx."

Go to solution
bleimehl
Node

‎12-13-2021 12:51 AM

Log4J CVE Mitigation for Neo4j

@michael.hunger says that the Docker images are updated to mitigate the problem

"The docker images have also been updated with a config setting disabling jmx."

Is that true? On dockerhub the 4.4 images are still 6 days old and the 4.3 even 10 days

https://hub.docker.com/_/neo4j?tab=tags

Labels:
0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
michael_hunger
Neo4j
Neo4j

‎12-13-2021 08:40 AM

It seems that they had jmx access already disabled

If you do

call dbms.listConfig() yield name, value 
where name starts with "dbms.jvm.additional" 
return name, value

it shows this which includes the disabled log4j jmx -Dlog4j2.disable.jmx=true

-XX:-OmitStackTraceInFastThrow
-XX:+AlwaysPreTouch
-XX:+UnlockExperimentalVMOptions
-XX:+TrustFinalNonStaticFields
-XX:+DisableExplicitGC
-XX:MaxInlineLevel=15
-XX:-UseBiasedLocking
-Djdk.nio.maxCachedBufferSize=262144
-Dio.netty.tryReflectionSetAccessible=true
-Djdk.tls.ephemeralDHKeySize=2048
-Djdk.tls.rejectClientInitiatedRenegotiation=true
-XX:FlightRecorderOptions=stackdepth=256
-XX:+UnlockDiagnosticVMOptions
-XX:+DebugNonSafepoints
-Dlog4j2.disable.jmx=true"

View solution in original post

Reply
3 REPLIES 3

Go to solution
michael_hunger
Neo4j
Neo4j

‎12-13-2021 08:40 AM

It seems that they had jmx access already disabled

If you do

call dbms.listConfig() yield name, value 
where name starts with "dbms.jvm.additional" 
return name, value

it shows this which includes the disabled log4j jmx -Dlog4j2.disable.jmx=true

-XX:-OmitStackTraceInFastThrow
-XX:+AlwaysPreTouch
-XX:+UnlockExperimentalVMOptions
-XX:+TrustFinalNonStaticFields
-XX:+DisableExplicitGC
-XX:MaxInlineLevel=15
-XX:-UseBiasedLocking
-Djdk.nio.maxCachedBufferSize=262144
-Dio.netty.tryReflectionSetAccessible=true
-Djdk.tls.ephemeralDHKeySize=2048
-Djdk.tls.rejectClientInitiatedRenegotiation=true
-XX:FlightRecorderOptions=stackdepth=256
-XX:+UnlockDiagnosticVMOptions
-XX:+DebugNonSafepoints
-Dlog4j2.disable.jmx=true"
Reply

Go to solution
bleimehl
Node

‎12-13-2021 08:46 AM

Thanks Michael for the clarification:

Additional hint:

if you use NEO4J_dbms_jvm_additional you will overwrite these default and you have to set them yourself

0 Kudos
Reply

Go to solution
michael_hunger
Neo4j
Neo4j
In response to bleimehl

‎12-13-2021 09:45 AM

Yes I realized that only after the fact which is a bit annoying.
The other option one can use with Docker is to set this environment variable:

ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true

0 Kudos
Reply
Nodes 2022
Nodes
NODES 2022, Neo4j Online Education Summit

All the sessions of the conference are now available online

Watch replays