RCE 0-day in log4j

[davcamer]

Guidelines

This is a known issue already tracked in the core repository: neo4j/neo4j#12796

Elasticsearch is updating its docker images to include the mitigating configuration. For example:
elastic/elasticsearch#81623

Is there work in progress to include the mitigating config in Neo4j docker images?

[enys]

Setting

- NEO4J_dbms_jvm_additional=-XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -XX:+AlwaysPreTouch -XX:+UnlockExperimentalVMOptions -XX:+TrustFinalNonStaticFields -XX:+DisableExplicitGC -XX:MaxInlineLevel=15 -XX:-UseBiasedLocking -Djdk.nio.maxCachedBufferSize=262144 -Dio.netty.tryReflectionSetAccessible=true -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.rejectClientInitiatedRenegotiation=true -XX:FlightRecorderOptions=stackdepth=256 -XX:+UnlockDiagnosticVMOptions -XX:+DebugNonSafepoints -Dlog4j2.formatMsgNoLookups=true -Dlog4j2.disable.jmx=true```

Mitigates the problem in 4.3.7, but not in 4.2.9, any clue ?

[motey]

neo4j claims to have a mitigate fix included in the docker images

https://community.neo4j.com/t/log4j-cve-mitigation-for-neo4j/48856

The docker images have also been updated with a config setting disabling jmx.

But i cant see any activities in the repo, backing this claim.

Also asked in the forum already:

https://community.neo4j.com/t/log4j-cve-mitigation-for-neo4j-the-docker-images-have-also-been-updated-with-a-config-setting-disabling-jmx/48926

[motey]

Is there work in progress to include the mitigating config in Neo4j docker images?

Seems to be done allready

https://community.neo4j.com/t/log4j-cve-mitigation-for-neo4j-the-docker-images-have-also-been-updated-with-a-config-setting-disabling-jmx/48926/2?u=bleimehl