Wikibase/Announcements/2021-12-14

The Wikibase team is aware of the vulnerability in log4j announced on December 9, 2021: [ https://www.cve.org/CVERecord?id=CVE-2021-44228 CVE-2021-44228] aka [ https://en.wikipedia.org/wiki/Log4Shell log4shell]. In our Wikibase Docker install, the only piece of software affected by this vulnerability is the version of Elasticsearch we currently use, 6.5.4. This is an older version of Elasticsearch. For now, users of the wikibase-release-pipeline Docker images should circumvent this vulnerability by disabling log4j lookups.

To circumvent the vulnerability, add the following Java option to the ES_JAVA_OPTS variable specified in your docker-compose(-extra).yml file and restart your Docker images:

-Dlog4j2.formatMsgNoLookups=true

This patch is also available on our [ https://github.com/wmde/wikibase-release-pipeline/commit/6b1342e94b1d75df1035d87d20c6e1eff47c340e github mirror].

Going forward we will carefully vet any new software or new versions of existing software to ensure the log4shell vulnerability is not present.

Feel free to respond on our [ https://www.mediawiki.org/wiki/Talk:Wikibase/FAQ?dtenable=1 questions page] with any questions or concerns. Thanks for your attention.