CVE-2021-34371 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2021-34371?

CVE-2021-34371 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote code execution on Neo4j databases with the shell server enabled. Attackers can exploit Java deserialization in the exposed RMI service to execute arbitrary code. Organizations running vulnerable Neo4j versions with shell server enabled are affected.

📋 TL;DR

This vulnerability allows remote code execution on Neo4j databases with the shell server enabled. Attackers can exploit Java deserialization in the exposed RMI service to execute arbitrary code. Organizations running vulnerable Neo4j versions with shell server enabled are affected.

💻 Affected Systems

Products:

Neo4j

Versions: through 3.4.18

Operating Systems: All platforms running Neo4j

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when shell server is enabled (not default in recent versions)

📦 What is this software?

Neo4j by Neo4j

View all CVEs affecting Neo4j →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data theft, ransomware deployment, or complete database takeover

🟠

Likely Case

Remote code execution allowing attackers to execute commands, access sensitive data, and pivot to other systems

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts

🌐 Internet-Facing: HIGH - Directly exploitable over network without authentication

🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this vulnerability

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code publicly available on Exploit-DB, uses Java deserialization gadget chains

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.19 and later, 3.5.x and later

Vendor Advisory: https://neo4j.com/security/cve-2021-34371/

Restart Required: Yes

Instructions:

1. Upgrade Neo4j to version 3.4.19 or later. 2. Stop Neo4j service. 3. Install updated version. 4. Restart Neo4j service. 5. Verify version is patched.

🔧 Temporary Workarounds

Disable Shell Server

all

Disable the vulnerable RMI shell server component

Edit neo4j.conf and set: dbms.shell.enabled=false
Restart Neo4j service

Network Access Control

linux

Restrict network access to Neo4j RMI port (default 1337)

firewall-cmd --permanent --remove-port=1337/tcp
firewall-cmd --reload

🧯 If You Can't Patch

Disable shell server in neo4j.conf immediately
Implement strict network segmentation and firewall rules to block access to Neo4j RMI port

🔍 How to Verify

Check if Vulnerable:

Check Neo4j version and shell server configuration: neo4j version and grep 'dbms.shell.enabled' neo4j.conf

Check Version:

neo4j version

Verify Fix Applied:

Verify version is 3.4.19+ and shell server is disabled: neo4j version | grep -E '3\.4\.(19|[2-9][0-9])|3\.5|4\.'

📡 Detection & Monitoring

Log Indicators:

Unusual RMI connections
Java deserialization errors
Unexpected process execution

Network Indicators:

Connections to Neo4j RMI port (default 1337) from unexpected sources
Java RMI protocol traffic

SIEM Query:

source="neo4j.log" AND ("RMI" OR "deserialization" OR "shell")

📊 Metadata

CVE ID: CVE-2021-34371

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: August 5, 2021

Last Updated: November 21, 2024

🔗 References

https://www.exploit-db.com/exploits/50170 Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/50170 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34371, you might also want to check these: