[
https://issues.apache.org/jira/browse/HBASE-26557?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459005#comment-17459005
]
Peter Somogyi commented on HBASE-26557:
---------------------------------------
Log4j just release version 2.16.0 where jndi is turned off by default. Based on
the release announcement it is not required to fix CVE-2021-44228 but
recommended. https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
Should we upgrade to this version and release 3.0.0-alpha2 and
hbase-operator-tools? cc: [~zhangduo] and [~gxcheng]
> log4j2 has a critical RCE vulnerability
> ---------------------------------------
>
> Key: HBASE-26557
> URL: https://issues.apache.org/jira/browse/HBASE-26557
> Project: HBase
> Issue Type: Bug
> Components: logging, security
> Reporter: Yutong Xiao
> Assignee: Yutong Xiao
> Priority: Major
> Fix For: 3.0.0-alpha-2
>
>
> Impacted log4j version: Apache Log4j 2.x <= 2.14.1
> I found that our current log4j version at master is 2.14.1.
> Should upgrade the version to 2.15.0
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
