Wikibase/Announcements/2021-12-14/id

Tim Wikibase mengetahui tentang kelemahan di log4j yang diumumkan pada 9 Desember 2021: CVE-2021-44228 alias log4shell. Di instalasi Docker Wikibase kami, satu-satunya bagian perangkat lunak yang terpengaruh oleh kelemahan ini adalah versi Elasticsearch yang kami sedang gunakan, yaitu 6.5.4. Ini adalah versi lama dari Elasticsearch. See Elastic's own announcement.

For now, users of the wikibase-release-pipeline Docker images should circumvent this vulnerability by disabling log4j lookups.

To circumvent the vulnerability, add the following Java option to the ES_JAVA_OPTS variable specified in your docker-compose(-extra).yml file and restart your Docker images:

-Dlog4j2.formatMsgNoLookups=true

This patch is also available on our github mirror.

Going forward we will carefully vet any new software or new versions of existing software to ensure the log4shell vulnerability is not present.

Feel free to respond on our questions page with any questions or concerns. Thanks for your attention.