HBASE-26557 log4j2 has a critical RCE vulnerability (#3933)

Signed-off-by: Duo Zhang <zhangduo@apache.org> Signed-off-by: Pankaj Kumar <pankajkumar@apache.org> Signed-off-by: Geoffrey Jacoby <gjacoby@apache.org>
2021-12-10 23:52:28 +08:00 · 2021-12-10 23:52:28 +08:00 · 02c044484d
parent b5cf3cdc5c
commit 02c044484d
3 changed files with 9 additions and 1 deletions
--- a/bin/hbase-config.cmd
+++ b/bin/hbase-config.cmd
@ -67,6 +67,10 @@ if exist "%HBASE_CONF_DIR%\hbase-env.cmd" (
  call "%HBASE_CONF_DIR%\hbase-env.cmd"
 )

+@rem Disable the JNDI. This feature has critical REC vulnerability.
+@rem when 2.x <= log4j.version <= 2.14.1
+set HBASE_OPTS=%HBASE_OPTS% -Dlog4j2.formatMsgNoLookups=true
+
 if not defined JAVA_HOME (
  echo Warning: JAVA_HOME environment variable is not set. Defaulting to c:\apps\java
  set JAVA_HOME=c:\apps\java
--- a/bin/hbase-config.sh
+++ b/bin/hbase-config.sh
@ -162,6 +162,10 @@ fi
 # memory usage to explode. Tune the variable down to prevent vmem explosion.
 export MALLOC_ARENA_MAX=${MALLOC_ARENA_MAX:-4}

+# Disable the JNDI. This feature has critical REC vulnerability
+# when 2.x <= log4j.version <= 2.14.1
+export HBASE_OPTS = "$HBASE_OPTS -Dlog4j2.formatMsgNoLookups=true"
+
 # Now having JAVA_HOME defined is required 
 if [ -z "$JAVA_HOME" ]; then
    cat 1>&2 <<EOF
--- a/pom.xml
+++ b/pom.xml
@ -1746,7 +1746,7 @@
    <hamcrest.version>1.3</hamcrest.version>
    <opentelemetry.version>1.0.1</opentelemetry.version>
    <opentelemetry-javaagent.version>1.0.1</opentelemetry-javaagent.version>
-    <log4j2.version>2.14.1</log4j2.version>
+    <log4j2.version>2.15.0</log4j2.version>
    <mockito-core.version>2.28.2</mockito-core.version>
    <protobuf.plugin.version>0.6.1</protobuf.plugin.version>
    <thrift.path>thrift</thrift.path>