Besides 3.0.0-alpha-2, we also need to make a new release for hbase-operation-tools, any volunteers?
Thanks. 张铎(Duo Zhang) <[email protected]> 于2021年12月10日周五 18:02写道: > Seems the 2.15.0 is already out. The log4j community decided to close the > vote earlier to solve the critical security issue. > > A developer in our community has already filed an issue and opened a PR. > > https://issues.apache.org/jira/browse/HBASE-26557 > https://github.com/apache/hbase/pull/3933 > > Let's get the PR merged and publish 3.0.-alpha-2 ASAP. > > Tak Lon (Stephen) Wu <[email protected]> 于2021年12月10日周五 13:44写道: > >> Thanks for sharing! I found another post [2] that said how to perform such >> an attack. >> >> Should we have a JIRA and keep tracking the solution for it? >> >> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/ >> >> -Stephen >> >> On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) <[email protected]> >> wrote: >> >> > See this PR >> > >> > https://github.com/apache/logging-log4j2/pull/608 >> > >> > Although the final 2.15.0 release for log4j2 has not been published >> yet, at >> > least on the Chinese internet the details and how to make use of >> > this vulnerability has already been public[1]. >> > >> > HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a >> > 3.0.0-alpha-2 release out soon. And for those who already use HBase >> > 3.0.0-alpha-1, please consider using the following ways to disable JNDI >> > >> > Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM >> > Add 'log4j2.formatMsgNoLookups=True' to config file >> > 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting >> JVM >> > >> > Thanks. >> > >> > 1. https://nosec.org/home/detail/4917.html >> > >> >
