Thanks for sharing! I found another post [2] that said how to perform such an attack.
Should we have a JIRA and keep tracking the solution for it? [2] https://www.lunasec.io/docs/blog/log4j-zero-day/ -Stephen On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) <palomino...@gmail.com> wrote: > See this PR > > https://github.com/apache/logging-log4j2/pull/608 > > Although the final 2.15.0 release for log4j2 has not been published yet, at > least on the Chinese internet the details and how to make use of > this vulnerability has already been public[1]. > > HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a > 3.0.0-alpha-2 release out soon. And for those who already use HBase > 3.0.0-alpha-1, please consider using the following ways to disable JNDI > > Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM > Add 'log4j2.formatMsgNoLookups=True' to config file > 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting JVM > > Thanks. > > 1. https://nosec.org/home/detail/4917.html >
