From 02c044484d923012da773b382ee1075d24638534 Mon Sep 17 00:00:00 2001 From: Yutong Xiao Date: Fri, 10 Dec 2021 23:52:28 +0800 Subject: [PATCH] HBASE-26557 log4j2 has a critical RCE vulnerability (#3933) Signed-off-by: Duo Zhang Signed-off-by: Pankaj Kumar Signed-off-by: Geoffrey Jacoby --- bin/hbase-config.cmd | 4 ++++ bin/hbase-config.sh | 4 ++++ pom.xml | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/bin/hbase-config.cmd b/bin/hbase-config.cmd index 3b7b713abfd..f0a972815a5 100644 --- a/bin/hbase-config.cmd +++ b/bin/hbase-config.cmd @@ -67,6 +67,10 @@ if exist "%HBASE_CONF_DIR%\hbase-env.cmd" ( call "%HBASE_CONF_DIR%\hbase-env.cmd" ) +@rem Disable the JNDI. This feature has critical REC vulnerability. +@rem when 2.x <= log4j.version <= 2.14.1 +set HBASE_OPTS=%HBASE_OPTS% -Dlog4j2.formatMsgNoLookups=true + if not defined JAVA_HOME ( echo Warning: JAVA_HOME environment variable is not set. Defaulting to c:\apps\java set JAVA_HOME=c:\apps\java diff --git a/bin/hbase-config.sh b/bin/hbase-config.sh index 3e85ec59fb6..10be5b74905 100644 --- a/bin/hbase-config.sh +++ b/bin/hbase-config.sh @@ -162,6 +162,10 @@ fi # memory usage to explode. Tune the variable down to prevent vmem explosion. export MALLOC_ARENA_MAX=${MALLOC_ARENA_MAX:-4} +# Disable the JNDI. This feature has critical REC vulnerability +# when 2.x <= log4j.version <= 2.14.1 +export HBASE_OPTS = "$HBASE_OPTS -Dlog4j2.formatMsgNoLookups=true" + # Now having JAVA_HOME defined is required if [ -z "$JAVA_HOME" ]; then cat 1>&2 <1.3 1.0.1 1.0.1 - 2.14.1 + 2.15.0 2.28.2 0.6.1 thrift