Thanks Guangxu!
On 12/13/21 6:01 AM, Guangxu Cheng wrote:
If there is no objection, I’ll volunteer to RM hbase-operation-tools 1.2.0
------
Best Regards,
Guangxu
张铎(Duo Zhang) <[email protected]> 于2021年12月12日周日 22:37写道:
Besides 3.0.0-alpha-2, we also need to make a new release for
hbase-operation-tools, any volunteers?
Thanks.
张铎(Duo Zhang) <[email protected]> 于2021年12月10日周五 18:02写道:
Seems the 2.15.0 is already out. The log4j community decided to close the
vote earlier to solve the critical security issue.
A developer in our community has already filed an issue and opened a PR.
https://issues.apache.org/jira/browse/HBASE-26557
https://github.com/apache/hbase/pull/3933
Let's get the PR merged and publish 3.0.-alpha-2 ASAP.
Tak Lon (Stephen) Wu <[email protected]> 于2021年12月10日周五 13:44写道:
Thanks for sharing! I found another post [2] that said how to perform
such
an attack.
Should we have a JIRA and keep tracking the solution for it?
[2] https://www.lunasec.io/docs/blog/log4j-zero-day/
-Stephen
On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) <[email protected]>
wrote:
See this PR
https://github.com/apache/logging-log4j2/pull/608
Although the final 2.15.0 release for log4j2 has not been published
yet, at
least on the Chinese internet the details and how to make use of
this vulnerability has already been public[1].
HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a
3.0.0-alpha-2 release out soon. And for those who already use HBase
3.0.0-alpha-1, please consider using the following ways to disable
JNDI
Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM
Add 'log4j2.formatMsgNoLookups=True' to config file
'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting
JVM
Thanks.
1. https://nosec.org/home/detail/4917.html
