Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't add log4j vulnerability fix every time. #348

Merged
merged 1 commit into from
Mar 9, 2022
Merged

Don't add log4j vulnerability fix every time. #348

merged 1 commit into from
Mar 9, 2022

Conversation

linuslundahl
Copy link
Contributor

Please check if the PR fulfills these requirements

  • The commit message follows our guidelines
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)

What kind of change does this PR introduce?

Prevent duplication of the log4j vulnerability fix setting. Apparently doing neo4jConfig.get('dbms.jvm.additional=-Dlog4j2.formatMsgNoLookups') doesn't return true, I'm guessing the double equal signs in the setting (dbms.jvm.additional=-Dlog4j2.formatMsgNoLookups=true) screws up the fetching of it.

What is the current behavior?

dbms.jvm.additional=-Dlog4j2.formatMsgNoLookups=true is added as a new line in the config on each DBMS start.

What is the new behavior?

dbms.jvm.additional=-Dlog4j2.formatMsgNoLookups=true is only added once to the config.

Does this PR introduce a breaking change?

Other information:

linuslundahl
linuslundahl commented Mar 8, 2022
View reviewed changes
packages/common/src/entities/dbmss/dbmss.local.ts
Comment on lines +309 to +311
const log4jVulnFix = neo4jConfig.config.find(
(item) => item[0] === 'dbms.jvm.additional' && item[1] === '-Dlog4j2.formatMsgNoLookups=true',
);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

neo4jConfig.get('dbms.jvm.additional=-Dlog4j2.formatMsgNoLookups') isn't working when trying to fetch if the setting has been added.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realized only now, but wouldn't the key be only dbms.jvm.additional? So you'd check with

neo4jConfig.get('dbms.jvm.additional') === '-Dlog4j2.formatMsgNoLookups'

and set as

neo4jConfig.set('dbms.jvm.additional', '-Dlog4j2.formatMsgNoLookups')

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, there are multiple entries that starts with dbms.jvm.additional in the conf file already. And using neo4jConfig.get('dbms.jvm.additional') will return the first one. In the default case we get -XX:+UseG1GC. So that won't do...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and the actual setting is: dbms.jvm.additional=-Dlog4j2.formatMsgNoLookups=true.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah okay, never mind then

@linuslundahl linuslundahl requested a review from nglgzz March 8, 2022 14:05
@linuslundahl linuslundahl merged commit a0bdac4 into neo4j-devtools:master Mar 9, 2022
@linuslundahl linuslundahl deleted the fix/log4j-0-day-exploit branch March 9, 2022 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nglgzz nglgzz nglgzz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@linuslundahl @nglgzz