You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by "张铎(Duo Zhang)" <pa...@gmail.com> on 2021/12/10 10:02:56 UTC
Re: [NOTICE] Apache log4j2 security vulnerability
Seems the 2.15.0 is already out. The log4j community decided to close the
vote earlier to solve the critical security issue.
A developer in our community has already filed an issue and opened a PR.
https://issues.apache.org/jira/browse/HBASE-26557
https://github.com/apache/hbase/pull/3933
Let's get the PR merged and publish 3.0.-alpha-2 ASAP.
Tak Lon (Stephen) Wu <ta...@apache.org> 于2021年12月10日周五 13:44写道:
> Thanks for sharing! I found another post [2] that said how to perform such
> an attack.
>
> Should we have a JIRA and keep tracking the solution for it?
>
> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/
>
> -Stephen
>
> On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) <pa...@gmail.com>
> wrote:
>
> > See this PR
> >
> > https://github.com/apache/logging-log4j2/pull/608
> >
> > Although the final 2.15.0 release for log4j2 has not been published yet,
> at
> > least on the Chinese internet the details and how to make use of
> > this vulnerability has already been public[1].
> >
> > HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a
> > 3.0.0-alpha-2 release out soon. And for those who already use HBase
> > 3.0.0-alpha-1, please consider using the following ways to disable JNDI
> >
> > Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM
> > Add 'log4j2.formatMsgNoLookups=True' to config file
> > 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting JVM
> >
> > Thanks.
> >
> > 1. https://nosec.org/home/detail/4917.html
> >
>
Re: [NOTICE] Apache log4j2 security vulnerability
Posted by "Tak Lon (Stephen) Wu" <ta...@apache.org>.
Thank you Guangxu!
-Stephen
On Mon, Dec 13, 2021 at 7:47 AM Josh Elser <el...@apache.org> wrote:
>
> Thanks Guangxu!
>
> On 12/13/21 6:01 AM, Guangxu Cheng wrote:
> > If there is no objection, I’ll volunteer to RM hbase-operation-tools 1.2.0
> > ------
> > Best Regards,
> > Guangxu
> >
> >
> > 张铎(Duo Zhang) <pa...@gmail.com> 于2021年12月12日周日 22:37写道:
> >
> >> Besides 3.0.0-alpha-2, we also need to make a new release for
> >> hbase-operation-tools, any volunteers?
> >>
> >> Thanks.
> >>
> >> 张铎(Duo Zhang) <pa...@gmail.com> 于2021年12月10日周五 18:02写道:
> >>
> >>> Seems the 2.15.0 is already out. The log4j community decided to close the
> >>> vote earlier to solve the critical security issue.
> >>>
> >>> A developer in our community has already filed an issue and opened a PR.
> >>>
> >>> https://issues.apache.org/jira/browse/HBASE-26557
> >>> https://github.com/apache/hbase/pull/3933
> >>>
> >>> Let's get the PR merged and publish 3.0.-alpha-2 ASAP.
> >>>
> >>> Tak Lon (Stephen) Wu <ta...@apache.org> 于2021年12月10日周五 13:44写道:
> >>>
> >>>> Thanks for sharing! I found another post [2] that said how to perform
> >> such
> >>>> an attack.
> >>>>
> >>>> Should we have a JIRA and keep tracking the solution for it?
> >>>>
> >>>> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/
> >>>>
> >>>> -Stephen
> >>>>
> >>>> On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) <pa...@gmail.com>
> >>>> wrote:
> >>>>
> >>>>> See this PR
> >>>>>
> >>>>> https://github.com/apache/logging-log4j2/pull/608
> >>>>>
> >>>>> Although the final 2.15.0 release for log4j2 has not been published
> >>>> yet, at
> >>>>> least on the Chinese internet the details and how to make use of
> >>>>> this vulnerability has already been public[1].
> >>>>>
> >>>>> HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a
> >>>>> 3.0.0-alpha-2 release out soon. And for those who already use HBase
> >>>>> 3.0.0-alpha-1, please consider using the following ways to disable
> >> JNDI
> >>>>>
> >>>>> Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM
> >>>>> Add 'log4j2.formatMsgNoLookups=True' to config file
> >>>>> 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting
> >>>> JVM
> >>>>>
> >>>>> Thanks.
> >>>>>
> >>>>> 1. https://nosec.org/home/detail/4917.html
> >>>>>
> >>>>
> >>>
> >>
> >
Re: [NOTICE] Apache log4j2 security vulnerability
Posted by Josh Elser <el...@apache.org>.
Thanks Guangxu!
On 12/13/21 6:01 AM, Guangxu Cheng wrote:
> If there is no objection, I’ll volunteer to RM hbase-operation-tools 1.2.0
> ------
> Best Regards,
> Guangxu
>
>
> 张铎(Duo Zhang) <pa...@gmail.com> 于2021年12月12日周日 22:37写道:
>
>> Besides 3.0.0-alpha-2, we also need to make a new release for
>> hbase-operation-tools, any volunteers?
>>
>> Thanks.
>>
>> 张铎(Duo Zhang) <pa...@gmail.com> 于2021年12月10日周五 18:02写道:
>>
>>> Seems the 2.15.0 is already out. The log4j community decided to close the
>>> vote earlier to solve the critical security issue.
>>>
>>> A developer in our community has already filed an issue and opened a PR.
>>>
>>> https://issues.apache.org/jira/browse/HBASE-26557
>>> https://github.com/apache/hbase/pull/3933
>>>
>>> Let's get the PR merged and publish 3.0.-alpha-2 ASAP.
>>>
>>> Tak Lon (Stephen) Wu <ta...@apache.org> 于2021年12月10日周五 13:44写道:
>>>
>>>> Thanks for sharing! I found another post [2] that said how to perform
>> such
>>>> an attack.
>>>>
>>>> Should we have a JIRA and keep tracking the solution for it?
>>>>
>>>> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/
>>>>
>>>> -Stephen
>>>>
>>>> On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) <pa...@gmail.com>
>>>> wrote:
>>>>
>>>>> See this PR
>>>>>
>>>>> https://github.com/apache/logging-log4j2/pull/608
>>>>>
>>>>> Although the final 2.15.0 release for log4j2 has not been published
>>>> yet, at
>>>>> least on the Chinese internet the details and how to make use of
>>>>> this vulnerability has already been public[1].
>>>>>
>>>>> HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a
>>>>> 3.0.0-alpha-2 release out soon. And for those who already use HBase
>>>>> 3.0.0-alpha-1, please consider using the following ways to disable
>> JNDI
>>>>>
>>>>> Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM
>>>>> Add 'log4j2.formatMsgNoLookups=True' to config file
>>>>> 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting
>>>> JVM
>>>>>
>>>>> Thanks.
>>>>>
>>>>> 1. https://nosec.org/home/detail/4917.html
>>>>>
>>>>
>>>
>>
>
Re: [NOTICE] Apache log4j2 security vulnerability
Posted by Guangxu Cheng <gx...@apache.org>.
If there is no objection, I’ll volunteer to RM hbase-operation-tools 1.2.0
------
Best Regards,
Guangxu
张铎(Duo Zhang) <pa...@gmail.com> 于2021年12月12日周日 22:37写道:
> Besides 3.0.0-alpha-2, we also need to make a new release for
> hbase-operation-tools, any volunteers?
>
> Thanks.
>
> 张铎(Duo Zhang) <pa...@gmail.com> 于2021年12月10日周五 18:02写道:
>
> > Seems the 2.15.0 is already out. The log4j community decided to close the
> > vote earlier to solve the critical security issue.
> >
> > A developer in our community has already filed an issue and opened a PR.
> >
> > https://issues.apache.org/jira/browse/HBASE-26557
> > https://github.com/apache/hbase/pull/3933
> >
> > Let's get the PR merged and publish 3.0.-alpha-2 ASAP.
> >
> > Tak Lon (Stephen) Wu <ta...@apache.org> 于2021年12月10日周五 13:44写道:
> >
> >> Thanks for sharing! I found another post [2] that said how to perform
> such
> >> an attack.
> >>
> >> Should we have a JIRA and keep tracking the solution for it?
> >>
> >> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/
> >>
> >> -Stephen
> >>
> >> On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) <pa...@gmail.com>
> >> wrote:
> >>
> >> > See this PR
> >> >
> >> > https://github.com/apache/logging-log4j2/pull/608
> >> >
> >> > Although the final 2.15.0 release for log4j2 has not been published
> >> yet, at
> >> > least on the Chinese internet the details and how to make use of
> >> > this vulnerability has already been public[1].
> >> >
> >> > HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a
> >> > 3.0.0-alpha-2 release out soon. And for those who already use HBase
> >> > 3.0.0-alpha-1, please consider using the following ways to disable
> JNDI
> >> >
> >> > Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM
> >> > Add 'log4j2.formatMsgNoLookups=True' to config file
> >> > 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting
> >> JVM
> >> >
> >> > Thanks.
> >> >
> >> > 1. https://nosec.org/home/detail/4917.html
> >> >
> >>
> >
>
Re: [NOTICE] Apache log4j2 security vulnerability
Posted by Guangxu Cheng <gx...@apache.org>.
If there is no objection, I’ll volunteer to RM hbase-operation-tools 1.2.0
------
Best Regards,
Guangxu
张铎(Duo Zhang) <pa...@gmail.com> 于2021年12月12日周日 22:37写道:
> Besides 3.0.0-alpha-2, we also need to make a new release for
> hbase-operation-tools, any volunteers?
>
> Thanks.
>
> 张铎(Duo Zhang) <pa...@gmail.com> 于2021年12月10日周五 18:02写道:
>
> > Seems the 2.15.0 is already out. The log4j community decided to close the
> > vote earlier to solve the critical security issue.
> >
> > A developer in our community has already filed an issue and opened a PR.
> >
> > https://issues.apache.org/jira/browse/HBASE-26557
> > https://github.com/apache/hbase/pull/3933
> >
> > Let's get the PR merged and publish 3.0.-alpha-2 ASAP.
> >
> > Tak Lon (Stephen) Wu <ta...@apache.org> 于2021年12月10日周五 13:44写道:
> >
> >> Thanks for sharing! I found another post [2] that said how to perform
> such
> >> an attack.
> >>
> >> Should we have a JIRA and keep tracking the solution for it?
> >>
> >> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/
> >>
> >> -Stephen
> >>
> >> On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) <pa...@gmail.com>
> >> wrote:
> >>
> >> > See this PR
> >> >
> >> > https://github.com/apache/logging-log4j2/pull/608
> >> >
> >> > Although the final 2.15.0 release for log4j2 has not been published
> >> yet, at
> >> > least on the Chinese internet the details and how to make use of
> >> > this vulnerability has already been public[1].
> >> >
> >> > HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a
> >> > 3.0.0-alpha-2 release out soon. And for those who already use HBase
> >> > 3.0.0-alpha-1, please consider using the following ways to disable
> JNDI
> >> >
> >> > Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM
> >> > Add 'log4j2.formatMsgNoLookups=True' to config file
> >> > 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting
> >> JVM
> >> >
> >> > Thanks.
> >> >
> >> > 1. https://nosec.org/home/detail/4917.html
> >> >
> >>
> >
>
Re: [NOTICE] Apache log4j2 security vulnerability
Posted by Guangxu Cheng <gx...@apache.org>.
If there is no objection, I’ll volunteer to RM hbase-operation-tools 1.2.0
------
Best Regards,
Guangxu
张铎(Duo Zhang) <pa...@gmail.com> 于2021年12月12日周日 22:37写道:
> Besides 3.0.0-alpha-2, we also need to make a new release for
> hbase-operation-tools, any volunteers?
>
> Thanks.
>
> 张铎(Duo Zhang) <pa...@gmail.com> 于2021年12月10日周五 18:02写道:
>
> > Seems the 2.15.0 is already out. The log4j community decided to close the
> > vote earlier to solve the critical security issue.
> >
> > A developer in our community has already filed an issue and opened a PR.
> >
> > https://issues.apache.org/jira/browse/HBASE-26557
> > https://github.com/apache/hbase/pull/3933
> >
> > Let's get the PR merged and publish 3.0.-alpha-2 ASAP.
> >
> > Tak Lon (Stephen) Wu <ta...@apache.org> 于2021年12月10日周五 13:44写道:
> >
> >> Thanks for sharing! I found another post [2] that said how to perform
> such
> >> an attack.
> >>
> >> Should we have a JIRA and keep tracking the solution for it?
> >>
> >> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/
> >>
> >> -Stephen
> >>
> >> On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) <pa...@gmail.com>
> >> wrote:
> >>
> >> > See this PR
> >> >
> >> > https://github.com/apache/logging-log4j2/pull/608
> >> >
> >> > Although the final 2.15.0 release for log4j2 has not been published
> >> yet, at
> >> > least on the Chinese internet the details and how to make use of
> >> > this vulnerability has already been public[1].
> >> >
> >> > HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a
> >> > 3.0.0-alpha-2 release out soon. And for those who already use HBase
> >> > 3.0.0-alpha-1, please consider using the following ways to disable
> JNDI
> >> >
> >> > Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM
> >> > Add 'log4j2.formatMsgNoLookups=True' to config file
> >> > 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting
> >> JVM
> >> >
> >> > Thanks.
> >> >
> >> > 1. https://nosec.org/home/detail/4917.html
> >> >
> >>
> >
>
Re: [NOTICE] Apache log4j2 security vulnerability
Posted by "张铎(Duo Zhang)" <pa...@gmail.com>.
Besides 3.0.0-alpha-2, we also need to make a new release for
hbase-operation-tools, any volunteers?
Thanks.
张铎(Duo Zhang) <pa...@gmail.com> 于2021年12月10日周五 18:02写道:
> Seems the 2.15.0 is already out. The log4j community decided to close the
> vote earlier to solve the critical security issue.
>
> A developer in our community has already filed an issue and opened a PR.
>
> https://issues.apache.org/jira/browse/HBASE-26557
> https://github.com/apache/hbase/pull/3933
>
> Let's get the PR merged and publish 3.0.-alpha-2 ASAP.
>
> Tak Lon (Stephen) Wu <ta...@apache.org> 于2021年12月10日周五 13:44写道:
>
>> Thanks for sharing! I found another post [2] that said how to perform such
>> an attack.
>>
>> Should we have a JIRA and keep tracking the solution for it?
>>
>> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/
>>
>> -Stephen
>>
>> On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) <pa...@gmail.com>
>> wrote:
>>
>> > See this PR
>> >
>> > https://github.com/apache/logging-log4j2/pull/608
>> >
>> > Although the final 2.15.0 release for log4j2 has not been published
>> yet, at
>> > least on the Chinese internet the details and how to make use of
>> > this vulnerability has already been public[1].
>> >
>> > HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a
>> > 3.0.0-alpha-2 release out soon. And for those who already use HBase
>> > 3.0.0-alpha-1, please consider using the following ways to disable JNDI
>> >
>> > Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM
>> > Add 'log4j2.formatMsgNoLookups=True' to config file
>> > 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting
>> JVM
>> >
>> > Thanks.
>> >
>> > 1. https://nosec.org/home/detail/4917.html
>> >
>>
>
Re: [NOTICE] Apache log4j2 security vulnerability
Posted by "张铎(Duo Zhang)" <pa...@gmail.com>.
Besides 3.0.0-alpha-2, we also need to make a new release for
hbase-operation-tools, any volunteers?
Thanks.
张铎(Duo Zhang) <pa...@gmail.com> 于2021年12月10日周五 18:02写道:
> Seems the 2.15.0 is already out. The log4j community decided to close the
> vote earlier to solve the critical security issue.
>
> A developer in our community has already filed an issue and opened a PR.
>
> https://issues.apache.org/jira/browse/HBASE-26557
> https://github.com/apache/hbase/pull/3933
>
> Let's get the PR merged and publish 3.0.-alpha-2 ASAP.
>
> Tak Lon (Stephen) Wu <ta...@apache.org> 于2021年12月10日周五 13:44写道:
>
>> Thanks for sharing! I found another post [2] that said how to perform such
>> an attack.
>>
>> Should we have a JIRA and keep tracking the solution for it?
>>
>> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/
>>
>> -Stephen
>>
>> On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) <pa...@gmail.com>
>> wrote:
>>
>> > See this PR
>> >
>> > https://github.com/apache/logging-log4j2/pull/608
>> >
>> > Although the final 2.15.0 release for log4j2 has not been published
>> yet, at
>> > least on the Chinese internet the details and how to make use of
>> > this vulnerability has already been public[1].
>> >
>> > HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a
>> > 3.0.0-alpha-2 release out soon. And for those who already use HBase
>> > 3.0.0-alpha-1, please consider using the following ways to disable JNDI
>> >
>> > Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM
>> > Add 'log4j2.formatMsgNoLookups=True' to config file
>> > 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting
>> JVM
>> >
>> > Thanks.
>> >
>> > 1. https://nosec.org/home/detail/4917.html
>> >
>>
>
Re: [NOTICE] Apache log4j2 security vulnerability
Posted by "张铎(Duo Zhang)" <pa...@gmail.com>.
Besides 3.0.0-alpha-2, we also need to make a new release for
hbase-operation-tools, any volunteers?
Thanks.
张铎(Duo Zhang) <pa...@gmail.com> 于2021年12月10日周五 18:02写道:
> Seems the 2.15.0 is already out. The log4j community decided to close the
> vote earlier to solve the critical security issue.
>
> A developer in our community has already filed an issue and opened a PR.
>
> https://issues.apache.org/jira/browse/HBASE-26557
> https://github.com/apache/hbase/pull/3933
>
> Let's get the PR merged and publish 3.0.-alpha-2 ASAP.
>
> Tak Lon (Stephen) Wu <ta...@apache.org> 于2021年12月10日周五 13:44写道:
>
>> Thanks for sharing! I found another post [2] that said how to perform such
>> an attack.
>>
>> Should we have a JIRA and keep tracking the solution for it?
>>
>> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/
>>
>> -Stephen
>>
>> On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) <pa...@gmail.com>
>> wrote:
>>
>> > See this PR
>> >
>> > https://github.com/apache/logging-log4j2/pull/608
>> >
>> > Although the final 2.15.0 release for log4j2 has not been published
>> yet, at
>> > least on the Chinese internet the details and how to make use of
>> > this vulnerability has already been public[1].
>> >
>> > HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a
>> > 3.0.0-alpha-2 release out soon. And for those who already use HBase
>> > 3.0.0-alpha-1, please consider using the following ways to disable JNDI
>> >
>> > Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM
>> > Add 'log4j2.formatMsgNoLookups=True' to config file
>> > 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting
>> JVM
>> >
>> > Thanks.
>> >
>> > 1. https://nosec.org/home/detail/4917.html
>> >
>>
>