Hi,
May I please confirm that adding the JVM option -Dlog4j2.formatMsgNoLookups=true to Elastic Search installations to address the recently reported log4j vulnerability is an acceptable immediate/short term solution?
Hello,
As mentioned on the official Elastic blog website, this indeed is a way to prevent the exploit.
Kind regards,
An official Skyline blog post has been published: responding to log4shell vulnerability
Thanks!
Best Regards
Jörg
Another way to mitigate the vulnerabilities is to update your elasticsearch version, more information can be found here (it’s also linked in the article above): https://community.dataminer.services/documentation/upgrading-elasticsearch-from-one-minor-version-to-another/
Dear Skyline teams, I would like to confirm that customers are asking for any sensitivity of DataMiner regarding the log4j vulnerability. Personally I don't think there is any relation because DataMiner is all .NET, however, some statement/guidance is requested by customers. Thanks, Jörg
Hi Jörg, DataMiner is indeed not impacted as we don’t use Java. But we have to be careful with Cassandra and Elastic. We’re currently making an assessment and we will publish a blog post today on this topic with our recommendations for Elastic and/or Cassandra.
To add to the context of this question, we are aware that there are multiple users of DataMiner who have raised questions regarding this security vulnerability for both DataMiner 9.6 and 10.1 in their production deployments. More info regarding the vulnerability found here https://nvd.nist.gov/vuln/detail/CVE-2021-44228.
Some guidance of the applicability of this security vulnerability to DataMiner infrastructure (core software and any other third-party software e.g.: databases MSSQL, ES, Cassandra, etc) is requested.