You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by zh...@apache.org on 2021/12/10 15:53:01 UTC

[hbase] branch master updated: HBASE-26557 log4j2 has a critical RCE vulnerability (#3933)

This is an automated email from the ASF dual-hosted git repository.

zhangduo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hbase.git


The following commit(s) were added to refs/heads/master by this push:
     new 02c0444  HBASE-26557 log4j2 has a critical RCE vulnerability (#3933)
02c0444 is described below

commit 02c044484d923012da773b382ee1075d24638534
Author: Yutong Xiao <yu...@gmail.com>
AuthorDate: Fri Dec 10 23:52:28 2021 +0800

    HBASE-26557 log4j2 has a critical RCE vulnerability (#3933)
    
    Signed-off-by: Duo Zhang <zh...@apache.org>
    Signed-off-by: Pankaj Kumar <pa...@apache.org>
    Signed-off-by: Geoffrey Jacoby <gj...@apache.org>
---
 bin/hbase-config.cmd | 4 ++++
 bin/hbase-config.sh  | 4 ++++
 pom.xml              | 2 +-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/bin/hbase-config.cmd b/bin/hbase-config.cmd
index 3b7b713..f0a9728 100644
--- a/bin/hbase-config.cmd
+++ b/bin/hbase-config.cmd
@@ -67,6 +67,10 @@ if exist "%HBASE_CONF_DIR%\hbase-env.cmd" (
   call "%HBASE_CONF_DIR%\hbase-env.cmd"
 )
 
+@rem Disable the JNDI. This feature has critical REC vulnerability.
+@rem when 2.x <= log4j.version <= 2.14.1
+set HBASE_OPTS=%HBASE_OPTS% -Dlog4j2.formatMsgNoLookups=true
+
 if not defined JAVA_HOME (
   echo Warning: JAVA_HOME environment variable is not set. Defaulting to c:\apps\java
   set JAVA_HOME=c:\apps\java
diff --git a/bin/hbase-config.sh b/bin/hbase-config.sh
index 3e85ec5..10be5b7 100644
--- a/bin/hbase-config.sh
+++ b/bin/hbase-config.sh
@@ -162,6 +162,10 @@ fi
 # memory usage to explode. Tune the variable down to prevent vmem explosion.
 export MALLOC_ARENA_MAX=${MALLOC_ARENA_MAX:-4}
 
+# Disable the JNDI. This feature has critical REC vulnerability
+# when 2.x <= log4j.version <= 2.14.1
+export HBASE_OPTS = "$HBASE_OPTS -Dlog4j2.formatMsgNoLookups=true"
+
 # Now having JAVA_HOME defined is required 
 if [ -z "$JAVA_HOME" ]; then
     cat 1>&2 <<EOF
diff --git a/pom.xml b/pom.xml
index 065f665..21946ec 100755
--- a/pom.xml
+++ b/pom.xml
@@ -1746,7 +1746,7 @@
     <hamcrest.version>1.3</hamcrest.version>
     <opentelemetry.version>1.0.1</opentelemetry.version>
     <opentelemetry-javaagent.version>1.0.1</opentelemetry-javaagent.version>
-    <log4j2.version>2.14.1</log4j2.version>
+    <log4j2.version>2.15.0</log4j2.version>
     <mockito-core.version>2.28.2</mockito-core.version>
     <protobuf.plugin.version>0.6.1</protobuf.plugin.version>
     <thrift.path>thrift</thrift.path>