Skip to content

Commit

Permalink
Add CVE-2021-44228 mitigation for ES
Browse files Browse the repository at this point in the history 
This only mitigates the CVE for ES included the pre-packaged
distribution. Users who maintain their own ES (or Solr) installation,
need to apply the mitigation there by themselves.

More information about how JanusGraph is affected by the CVE can be
found here:
https://lists.lfaidata.foundation/g/janusgraph-users/message/6272

The mitigation is recommended in the summary provided by Elasticsearch:
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Fixes #2891

Signed-off-by: Florian Hockmann <fh@florian-hockmann.de>
  • Loading branch information
@FlorianHockmann
FlorianHockmann committed Dec 16, 2021
1 parent 9e912b0 commit 16a7676
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions janusgraph-dist/src/assembly/static/elasticsearch/config/jvm.options
View file
Expand Up @@ -89,3 +89,6 @@

# JDK 9+ GC logging
9-:-Xlog:gc*,gc+age=trace,safepoint:file=../logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m

# CVE-2021-44228 (aka “log4shell”) mitigation
-Dlog4j2.formatMsgNoLookups=true

0 comments on commit 16a7676

Please sign in to comment.