Re: [NOTICE] Apache log4j2 security vulnerability
If there is no objection, I’ll volunteer to RM hbase-operation-tools 1.2.0 -- Best Regards, Guangxu 张铎(Duo Zhang) 于2021年12月12日周日 22:37写道: > Besides 3.0.0-alpha-2, we also need to make a new release for > hbase-operation-tools, any volunteers? > > Thanks. > > 张铎(Duo Zhang) 于2021年12月10日周五 18:02写道: > > > Seems the 2.15.0 is already out. The log4j community decided to close the > > vote earlier to solve the critical security issue. > > > > A developer in our community has already filed an issue and opened a PR. > > > > https://issues.apache.org/jira/browse/HBASE-26557 > > https://github.com/apache/hbase/pull/3933 > > > > Let's get the PR merged and publish 3.0.-alpha-2 ASAP. > > > > Tak Lon (Stephen) Wu 于2021年12月10日周五 13:44写道: > > > >> Thanks for sharing! I found another post [2] that said how to perform > such > >> an attack. > >> > >> Should we have a JIRA and keep tracking the solution for it? > >> > >> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/ > >> > >> -Stephen > >> > >> On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) > >> wrote: > >> > >> > See this PR > >> > > >> > https://github.com/apache/logging-log4j2/pull/608 > >> > > >> > Although the final 2.15.0 release for log4j2 has not been published > >> yet, at > >> > least on the Chinese internet the details and how to make use of > >> > this vulnerability has already been public[1]. > >> > > >> > HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a > >> > 3.0.0-alpha-2 release out soon. And for those who already use HBase > >> > 3.0.0-alpha-1, please consider using the following ways to disable > JNDI > >> > > >> > Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM > >> > Add 'log4j2.formatMsgNoLookups=True' to config file > >> > 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting > >> JVM > >> > > >> > Thanks. > >> > > >> > 1. https://nosec.org/home/detail/4917.html > >> > > >> > > >
Re: [NOTICE] Apache log4j2 security vulnerability
Besides 3.0.0-alpha-2, we also need to make a new release for hbase-operation-tools, any volunteers? Thanks. 张铎(Duo Zhang) 于2021年12月10日周五 18:02写道: > Seems the 2.15.0 is already out. The log4j community decided to close the > vote earlier to solve the critical security issue. > > A developer in our community has already filed an issue and opened a PR. > > https://issues.apache.org/jira/browse/HBASE-26557 > https://github.com/apache/hbase/pull/3933 > > Let's get the PR merged and publish 3.0.-alpha-2 ASAP. > > Tak Lon (Stephen) Wu 于2021年12月10日周五 13:44写道: > >> Thanks for sharing! I found another post [2] that said how to perform such >> an attack. >> >> Should we have a JIRA and keep tracking the solution for it? >> >> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/ >> >> -Stephen >> >> On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) >> wrote: >> >> > See this PR >> > >> > https://github.com/apache/logging-log4j2/pull/608 >> > >> > Although the final 2.15.0 release for log4j2 has not been published >> yet, at >> > least on the Chinese internet the details and how to make use of >> > this vulnerability has already been public[1]. >> > >> > HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a >> > 3.0.0-alpha-2 release out soon. And for those who already use HBase >> > 3.0.0-alpha-1, please consider using the following ways to disable JNDI >> > >> > Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM >> > Add 'log4j2.formatMsgNoLookups=True' to config file >> > 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting >> JVM >> > >> > Thanks. >> > >> > 1. https://nosec.org/home/detail/4917.html >> > >> >
Re: [NOTICE] Apache log4j2 security vulnerability
Seems the 2.15.0 is already out. The log4j community decided to close the vote earlier to solve the critical security issue. A developer in our community has already filed an issue and opened a PR. https://issues.apache.org/jira/browse/HBASE-26557 https://github.com/apache/hbase/pull/3933 Let's get the PR merged and publish 3.0.-alpha-2 ASAP. Tak Lon (Stephen) Wu 于2021年12月10日周五 13:44写道: > Thanks for sharing! I found another post [2] that said how to perform such > an attack. > > Should we have a JIRA and keep tracking the solution for it? > > [2] https://www.lunasec.io/docs/blog/log4j-zero-day/ > > -Stephen > > On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) > wrote: > > > See this PR > > > > https://github.com/apache/logging-log4j2/pull/608 > > > > Although the final 2.15.0 release for log4j2 has not been published yet, > at > > least on the Chinese internet the details and how to make use of > > this vulnerability has already been public[1]. > > > > HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a > > 3.0.0-alpha-2 release out soon. And for those who already use HBase > > 3.0.0-alpha-1, please consider using the following ways to disable JNDI > > > > Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM > > Add 'log4j2.formatMsgNoLookups=True' to config file > > 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting JVM > > > > Thanks. > > > > 1. https://nosec.org/home/detail/4917.html > > >
Re: [NOTICE] Apache log4j2 security vulnerability
Thanks for sharing! I found another post [2] that said how to perform such an attack. Should we have a JIRA and keep tracking the solution for it? [2] https://www.lunasec.io/docs/blog/log4j-zero-day/ -Stephen On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) wrote: > See this PR > > https://github.com/apache/logging-log4j2/pull/608 > > Although the final 2.15.0 release for log4j2 has not been published yet, at > least on the Chinese internet the details and how to make use of > this vulnerability has already been public[1]. > > HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a > 3.0.0-alpha-2 release out soon. And for those who already use HBase > 3.0.0-alpha-1, please consider using the following ways to disable JNDI > > Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM > Add 'log4j2.formatMsgNoLookups=True' to config file > 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting JVM > > Thanks. > > 1. https://nosec.org/home/detail/4917.html >
[NOTICE] Apache log4j2 security vulnerability
See this PR https://github.com/apache/logging-log4j2/pull/608 Although the final 2.15.0 release for log4j2 has not been published yet, at least on the Chinese internet the details and how to make use of this vulnerability has already been public[1]. HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a 3.0.0-alpha-2 release out soon. And for those who already use HBase 3.0.0-alpha-1, please consider using the following ways to disable JNDI Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM Add 'log4j2.formatMsgNoLookups=True' to config file 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting JVM Thanks. 1. https://nosec.org/home/detail/4917.html