Thank you Guangxu! -Stephen
On Mon, Dec 13, 2021 at 7:47 AM Josh Elser <[email protected]> wrote: > > Thanks Guangxu! > > On 12/13/21 6:01 AM, Guangxu Cheng wrote: > > If there is no objection, I’ll volunteer to RM hbase-operation-tools 1.2.0 > > ------ > > Best Regards, > > Guangxu > > > > > > 张铎(Duo Zhang) <[email protected]> 于2021年12月12日周日 22:37写道: > > > >> Besides 3.0.0-alpha-2, we also need to make a new release for > >> hbase-operation-tools, any volunteers? > >> > >> Thanks. > >> > >> 张铎(Duo Zhang) <[email protected]> 于2021年12月10日周五 18:02写道: > >> > >>> Seems the 2.15.0 is already out. The log4j community decided to close the > >>> vote earlier to solve the critical security issue. > >>> > >>> A developer in our community has already filed an issue and opened a PR. > >>> > >>> https://issues.apache.org/jira/browse/HBASE-26557 > >>> https://github.com/apache/hbase/pull/3933 > >>> > >>> Let's get the PR merged and publish 3.0.-alpha-2 ASAP. > >>> > >>> Tak Lon (Stephen) Wu <[email protected]> 于2021年12月10日周五 13:44写道: > >>> > >>>> Thanks for sharing! I found another post [2] that said how to perform > >> such > >>>> an attack. > >>>> > >>>> Should we have a JIRA and keep tracking the solution for it? > >>>> > >>>> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/ > >>>> > >>>> -Stephen > >>>> > >>>> On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) <[email protected]> > >>>> wrote: > >>>> > >>>>> See this PR > >>>>> > >>>>> https://github.com/apache/logging-log4j2/pull/608 > >>>>> > >>>>> Although the final 2.15.0 release for log4j2 has not been published > >>>> yet, at > >>>>> least on the Chinese internet the details and how to make use of > >>>>> this vulnerability has already been public[1]. > >>>>> > >>>>> HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a > >>>>> 3.0.0-alpha-2 release out soon. And for those who already use HBase > >>>>> 3.0.0-alpha-1, please consider using the following ways to disable > >> JNDI > >>>>> > >>>>> Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM > >>>>> Add 'log4j2.formatMsgNoLookups=True' to config file > >>>>> 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting > >>>> JVM > >>>>> > >>>>> Thanks. > >>>>> > >>>>> 1. https://nosec.org/home/detail/4917.html > >>>>> > >>>> > >>> > >> > >
