This page will be updated frequently. Please check back regularly.
Last updated 2022-01-13 21:00 (UTC+1)
This update covers the following security vulnerabilities:
- CVE-2021-44228
- CVE-2021-45046
- CVE-2021-45105
- CVE-2021-44832
Neo4j is actively following the updates around the recently disclosed security vulnerabilities related to the Log4j library.
What You Need to Do
Update January 13: We have released a new version of the Neo4j BI Connector, which includes log4j 2.17.1 is available at the Neo4j Download Center.
Packages now exist for all Neo4j DB impacted versions, which include a non-vulnerable version of Log4j (2.17.1). We strongly recommend our customers and users upgrade as soon as possible. Visit the Neo4j Download Center to get updated packages.
If you are running Neo4j Database Server v4.2-4.4, you should install the corresponding updated version immediately:- If you’re running 4.2 please update to 4.2.14
- If you’re running 4.3 please update to 4.3.10
- If you’re running 4.4 please update to 4.4.3
- If you’re running Neo4j Desktop 1.4.10 or earlier you should install the updated version 1.4.11 immediately.
We are continuously assessing the impact of the vulnerabilities on our products and the following table outlines the current status.
Product | CVE | Status | Additional Information |
Neo4j Database Server (Enterprise & Community Edition): v 3-5 – v 4.1 | All | Not Impacted | |
Neo4j Database Server (Enterprise & Community Edition): v 4.2 |
CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 CVE-2021-44832 |
Mitigated, Customer action needed |
Please upgrade to Neo4j v 4.2.14 Please see below for further info. |
Neo4j Database Server (Enterprise & Community Edition): v 4.3 |
CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 CVE-2021-44832 |
Mitigated, Customer action needed |
Please upgrade to Neo4j v 4.3.10 Please see below for further info. |
Neo4j Database Server (Enterprise & Community Edition): v 4.4 |
CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 CVE-2021-44832 |
Mitigated, Customer action needed |
Please upgrade to Neo4j v 4.4.3 Please see below for further info. |
Neo4j Graph Data Science Library: All versions | Not Impacted | ||
Neo4j Bloom: All versions | Not Impacted | ||
Neo4j Bloom Server Plugin | Not Impacted | ||
Neo4j Browser: All versions | Not Impacted | ||
Neo4j Desktop | Mitigated, Customer action needed | Update December 21: Please update to v 1.4.11 | |
Aura | Mitigated, No action needed | The issue has already been mitigated and no further action is required. Our security and engineering teams are continuously reviewing and monitoring the situation; so far, the investigation has not identified any indications of compromise or active exploitation of the vulnerability. | |
Neo4j Sandbox | Mitigated, Customer action needed | The issue does not impact new sandboxes. If you initiated a sandbox before December 11, 2021, we recommend you terminate the existing sandbox and create a new instance. You can create a dump of the previous data, if needed. | |
Neo4j Docker Images | Mitigated, Customer action needed | All Docker images of Neo4j Log4j impacted versions have been updated to the latest available version and published. | |
Cypher Shell | Not Impacted | ||
Neo4j Connector for Apache Kafka | Not Impacted | ||
Neo4j Connector for Apache Spark | Not Impacted | ||
Neo4j BI Connector | Mitigated, Customer action needed |
A new release 1.0.10 that includes log4j 2.17.1 is available at the Neo4j download center. |
|
SDN6 (Spring Data Neo4j 6.0) | Not Impacted | ||
SDN (Spring Data Neo4j) | Not Impacted | ||
OGM (Object Graph Mapper) | Not Impacted | ||
Cypher-DSL | Not Impacted | ||
Neo4j GraphQL Library (neo4j-graphql and neo4j-graphql-java) | Not Impacted | ||
Cypher Workbench, also known as Solutions Workbench | Not Impacted | ||
APOC | Not Impacted |
Upgrade not possible?
For environments where an upgrade might not be possible in the short term, the following steps should be taken:
Configuration change 1: Disable lookups through system properties which will help mitigate the issue to a great extent.
In Neo4j Database Server the configuration below can be set via conf/neo4j.conf settings:
dbms.jvm.additional=-Dlog4j2.formatMsgNoLookups=true
Configuration change 2: After completing the first step, the following configuration changes are recommended in order to further reduce the exploitation paths of this vulnerability:
For Neo4j version 4.2:
unsupported.dbms.logs.format=JSON_FORMAT
dbms.logs.http.enabled=false
For Neo4j versions 4.3 and 4.4:
dbms.logs.default_format=JSON
dbms.logs.http.enabled=false
It is worth mentioning that the above change will transform all logs into JSON format, which might have some consequences for tools or pipelines that are parsing those logs.
A restart will be required for the configuration property changes to be read and applied. For single instances, this restart means a brief downtime. For clustered environments, the change can be applied using a rolling restart of each cluster member at a time to minimize impact to users.
Please note: Investigations are still ongoing, but we need to highlight that all of these options do not fully mitigate the threats of CVE-2021-44228. Upgrading to the latest version is the most secure option.
Update on AWS Self-Host Customers
On December 17th AWS released a Log4j hot patch to customer EC2 instances. In some cases it has been reported the hot patch has created an issue preventing rolling restarts of Neo4j 4.x instances. For customers that have updated their Neo4j database with the Log4j fix, and provided that Neo4j is the only Java process running in the instance, the AWS hot patch can be disabled to restore proper service, per AWS instructions in the below link:
https://alas.aws.amazon.com/announcements/2021-001.html
Questions?
We will continue to update these statements as more information becomes available. You will also see updates on our social media channels.
If you have an urgent query, please open a support ticket at:
Neo4j Support: https://support.neo4j.com
or
Neo4j Aura Support: https://aura.support.neo4j.com
Need to report a vulnerability? Visit our security page for further details and instructions.
References
- Link to Neo4j Community site post
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://www.randori.com/blog/cve-2021-44228/
- https://logging.apache.org/log4j/2.x/security.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://nvd.nist.gov/vuln/detail/CVE-2021-45046
- https://nvd.nist.gov/vuln/detail/CVE-2021-45105
- https://nvd.nist.gov/vuln/detail/CVE-2021-44832