Hi, Have we assessed the impact of CVE-2021-44832 to determine if Neo4j is affected? If impacted, can we get a patch for Neo4j as soon as possible? Thanks!
see Apache Log4j Security Vulnerability and
Update January 3 on CVE-2021-44832
Log4j (2.17.1) was released on December 27th, 2021 to address the issues described in CVE-2021-44832. Neo4j DB Server is not exploitable by this vulnerability as it does not allow users to modify the log4j configuration file in the way necessary to exploit the vulnerability.
Neo4j’s current course of action on CVE-2021-44832:
We will continue looking into this issue and update with new details.
All prior guidance and recommendations around configuration property changes are still valid.
We are working towards upgrading to the latest version of Log4j (2.17.1) and targeting to release within the priority-based remediation timeframes that are outlined in Neo4j vulnerability management policy
Thank you for the update. Do we have a rough timeline?
I might expect in next week or 2.
But given Neo4j is no impacted by the vulnerability is there a urgency?
Thanks again. Upgrading to Log4j 2.17.1 is the recommended approach for full mitigation. Is it possible to get an update sooner?
@skrishnamurthy
ok but my understanding is that we need not explicitly mitigate since we are not impacted by the vulnerability.
My prior update included
Log4j (2.17.1) was released on December 27th, 2021 to address the issues described in
CVE-2021-44832.
Neo4j DB Server is not exploitable by this vulnerability as it does not allow users to modify
the log4j configuration file in the way necessary to exploit the vulnerability.
and specifically Neo4j DB Server is not exploitable by this vulnerability