I found that only neo4j > 4.2 is impacted by this vulnerability (here and here )
But in neo4j 3.5.21 pom I see a dependency to log4j (here):
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
So is this version really safe for use in production environment right now ?
CodePudding user response:
Is seems that log4j
version 1.2.17
is used in neo4j 3.5.21
and this version is not vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2021-44228 as the vulnerability was introduced with version 2.10.0.
In any way log4j
version 1.2.17
is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2019-17571 which has a score of 9.8 out of 10. It is a different attack vector maybe harder to exploit, but same as critical and should not be used in production.
You should update your neo4j version in any way.