docker-neo4j
docker-neo4j copied to clipboard
neo4j
RCE 0-day in log4j
Guidelines
This is a known issue already tracked in the core repository: https://github.com/neo4j/neo4j/issues/12796
Elasticsearch is updating its docker images to include the mitigating configuration. For example: https://github.com/elastic/elasticsearch/pull/81623
Is there work in progress to include the mitigating config in Neo4j docker images?
Setting
- NEO4J_dbms_jvm_additional=-XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -XX:+AlwaysPreTouch -XX:+UnlockExperimentalVMOptions -XX:+TrustFinalNonStaticFields -XX:+DisableExplicitGC -XX:MaxInlineLevel=15 -XX:-UseBiasedLocking -Djdk.nio.maxCachedBufferSize=262144 -Dio.netty.tryReflectionSetAccessible=true -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.rejectClientInitiatedRenegotiation=true -XX:FlightRecorderOptions=stackdepth=256 -XX:+UnlockDiagnosticVMOptions -XX:+DebugNonSafepoints -Dlog4j2.formatMsgNoLookups=true -Dlog4j2.disable.jmx=true```
Mitigates the problem in 4.3.7, but not in 4.2.9, any clue ?
neo4j claims to have a mitigate fix included in the docker images
https://community.neo4j.com/t/log4j-cve-mitigation-for-neo4j/48856
The docker images have also been updated with a config setting disabling jmx.
But i cant see any activities in the repo, backing this claim.
Also asked in the forum already:
https://community.neo4j.com/t/log4j-cve-mitigation-for-neo4j-the-docker-images-have-also-been-updated-with-a-config-setting-disabling-jmx/48926
Is there work in progress to include the mitigating config in Neo4j docker images?
Seems to be done allready
https://community.neo4j.com/t/log4j-cve-mitigation-for-neo4j-the-docker-images-have-also-been-updated-with-a-config-setting-disabling-jmx/48926/2?u=bleimehl