Hi all: This is a security notice about the impact analysis of Apache Log4j2 Remote Code Execution Vulnerability on Apache Kylin. Background
Apache Log4j2 is a Java based logging tool, which is widely used in the industry. The recently discovered Remote Code Execution Vulnerability of Apache Log4j2 makes it possible for the program that introduces Apache Log4j2 to be triggered Remote Code Execution by an attacker who construct a special request. Scope of influence The version range of Log4j2 with security vulnerabilities is: Apache Log4j 2.x <= 2.14.1. The currently released versions of Apache Kylin (Kylin 2.x, Kylin 3.x, Kylin 4.x) use log4j version 1.2.17 by default. However, considering that kylin's startup script will load jars from Hadoop environment, including Hadoop, Spark, HBase, Hive and other components, the log4j version used in Hadoop3 environment is generally Apache Log4j2, so if your Hadoop is above version 3.0, it is recommended to upgrade the Log4j2 of Hadoop cluster, to avoid the possibility of polluting kylin services. Solution If the Hadoop component used by kylin user's environment uses Log4j2, the user needs to comprehensively upgrade Log4j2 to the latest 2.15.0-rc2 to prevent Kylin from loading the jar of Log4j2 with security risks into Kylin's classpath through scripts. After the log4j2 environment is fully upgraded, users can execute jinfo `cat pid` under $KYLIN_HOME to check whether the jar packages such as log4j-core-2.x.x.jar introduced by Kylin's classpath are the latest secure Log4j2 versions. Best Regards! Apache Kylin Team
