GrapheneDB Blog

Updates from the GrapheneDB team

Regarding Log4j Vulnerability

Update December 16th, 14:13 UTC

As expected, Neo4j has released new 4.2 and 4.3 versions (4.2.13 and 4.3.9) that contain the latest Log4j (2.16.0) with the fix for the latest discovered attack vector CVE-2021-45046.

We have made both versions available for our customers to upgrade on our admin interface and we’re reaching out to affected databases with further details. For new databases, we have disabled all versions but 4.2.13 and 4.3.9.

Update December 15th, 14:00 UTC

It looks like an additional attack vector was identified and reported in CVE-2021-45046. Neo4j patch releases contain Log4j 2.15.0 which is still impacted. There might be new Neo4j patch releases shortly, so please stay tuned.

Original post

Security is a top priority at GrapheneDB and our Ops team has been looking into this exploit from the moment it went public. We’d like to share with you some known details and actions that we took to mitigate it.

On Friday (December 10th, 2021), we and many others became aware of a critical severity zero-day exploit known as “Log4Shell” in the Log4j library, which is widely used in numerous systems around the internet. It has now been published as CVE-2021-44228.

Our Ops team has been actively taking steps to mitigate and monitor the situation. Good news is that we didn’t find any breaches in the GrapheneDB system and databases.Services and components that use affected library are running newer java version which in combination with other applied security measures makes this vulnerability hard to exploit.

We want to use this opportunity to remind you that we have a feature to restrict access to your databases via IP Whitelisting or VPC peering.

With utmost security in mind, we don’t want to risk vectors that we might have overseen or are not discovered yet. That’s why we have taken the following decisions:

  • We are following the official recommendations on how to mitigate the problem.

  • Neo4j has released new 4.2 and 4.3 patch versions with a newer version of Log4j, which is not impacted. For new deployments we’ve removed the option to use affected versions and for existing databases we have a plan to upgrade them to new patch versions. If you have any questions or concerns related to this matter, please don’t hesitate to contact us by submitting a new support ticket or via email at support@graphenedb.com.