Wikibase/Announcements/2021-12-14

The Wikibase team is aware of the vulnerability in log4j announced on December 9, 2021: [ https://www.cve.org/CVERecord?id=CVE-2021-44228 CVE-2021-44228] aka [ https://en.wikipedia.org/wiki/Log4Shell log4shell]. In our Wikibase Docker install, the only piece of software affected by this vulnerability is the version of Elasticsearch we currently use, 6.5.4. This is an older version of Elasticsearch. [ https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 See Elastic's own announcement].

For now, users of the wikibase-release-pipeline Docker images should circumvent this vulnerability by disabling log4j lookups.

To circumvent the vulnerability, add the following Java option to the ES_JAVA_OPTS variable specified in your docker-compose(-extra).yml file and restart your Docker images:

-Dlog4j2.formatMsgNoLookups=true

This patch is also available on our [ https://github.com/wmde/wikibase-release-pipeline/commit/6b1342e94b1d75df1035d87d20c6e1eff47c340e github mirror].

Going forward we will carefully vet any new software or new versions of existing software to ensure the log4shell vulnerability is not present.

Feel free to respond on our [ https://www.mediawiki.org/wiki/Talk:Wikibase/FAQ?dtenable=1 questions page] with any questions or concerns. Thanks for your attention.