On December 9, 2021 a serious security vulnerability (CVE-2021-44228) was disclosed in the widely used logging library Log4j. This vulnerability affects wide range of software including the Stardog platform. This vulnerability allows an attacker to execute code on a remote server.
On December 10, 2021, a new version of Log4j was released to address the vulnerability and the Stardog engineering team immediately started working on a new release. The release 7.8.1 is now generally available. The only change in 7.8.1 is addressing this vulnerability.
We strongly urge you to take one of the following two actions:
-
Upgrade to Stardog 7.8.1 (Recommended)
-
If you are using Stardog 7.4.2 or above, and cannot upgrade, then set the following JVM property
-Dlog4j2.formatMsgNoLookups=truebased on your deployment method:-
If you are deploying Stardog via Helm charts, edit line 27 to include the setting:
-Dlog4j2.formatMsgNoLookups=true -
If you are deploying Stardog manually, set
STARDOG_SERVER_JAVA_ARGSenvironment variable to include-Dlog4j2.formatMsgNoLookups=true
-
Additional mitigation strategies are outlined in the (CVE-2021-44228) report.