Stardog 7.8.1 available

On December 9, 2021 a serious security vulnerability (CVE-2021-44228) was disclosed in the widely used logging library Log4j. This vulnerability affects wide range of software including the Stardog platform. This vulnerability allows an attacker to execute code on a remote server.

On December 10, 2021, a new version of Log4j was released to address the vulnerability and the Stardog engineering team immediately started working on a new release. The release 7.8.1 is now generally available. The only change in 7.8.1 is addressing this vulnerability.

We strongly urge you to take one of the following two actions:

  1. Upgrade to Stardog 7.8.1 (Recommended)

  2. If you are using Stardog 7.4.2 or above, and cannot upgrade, then set the following JVM property -Dlog4j2.formatMsgNoLookups=true based on your deployment method:

    1. If you are deploying Stardog via Helm charts, edit line 27 to include the setting:
      -Dlog4j2.formatMsgNoLookups=true

    2. If you are deploying Stardog manually, set STARDOG_SERVER_JAVA_ARGS environment variable to include -Dlog4j2.formatMsgNoLookups=true

Additional mitigation strategies are outlined in the (CVE-2021-44228) report.

2 Likes