Home > Enterprise >  Is neo4j 3.5 impacted by CVE-2021-44228?
Is neo4j 3.5 impacted by CVE-2021-44228?

Time:12-13

I found that only neo4j > 4.2 is impacted by this vulnerability (here and here )

But in neo4j 3.5.21 pom I see a dependency to log4j (here):

<dependency>
        <groupId>log4j</groupId>
        <artifactId>log4j</artifactId>
        <version>1.2.17</version>
</dependency>

So is this version really safe for use in production environment right now ?

CodePudding user response:

Is seems that log4j version 1.2.17 is used in neo4j 3.5.21 and this version is not vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2021-44228 as the vulnerability was introduced with version 2.10.0.

In any way log4j version 1.2.17 is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2019-17571 which has a score of 9.8 out of 10. It is a different attack vector maybe harder to exploit, but same as critical and should not be used in production.

You should update your neo4j version in any way.

  • Related