See this PR https://github.com/apache/logging-log4j2/pull/608
Although the final 2.15.0 release for log4j2 has not been published yet, at least on the Chinese internet the details and how to make use of this vulnerability has already been public[1]. HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a 3.0.0-alpha-2 release out soon. And for those who already use HBase 3.0.0-alpha-1, please consider using the following ways to disable JNDI Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM Add 'log4j2.formatMsgNoLookups=True' to config file 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting JVM Thanks. 1. https://nosec.org/home/detail/4917.html
