HBASE-26557 log4j2 has a critical RCE vulnerability (#3933)

Signed-off-by: Duo Zhang <[email protected]>
Signed-off-by: Pankaj Kumar <[email protected]>
Signed-off-by: Geoffrey Jacoby <[email protected]>

bin/hbase-config.cmd

@@ -67,6 +67,10 @@ if exist "%HBASE_CONF_DIR%\hbase-env.cmd" (
   call "%HBASE_CONF_DIR%\hbase-env.cmd"
 )
 
+@rem Disable the JNDI. This feature has critical REC vulnerability.
+@rem when 2.x <= log4j.version <= 2.14.1
+set HBASE_OPTS=%HBASE_OPTS% -Dlog4j2.formatMsgNoLookups=true
+
 if not defined JAVA_HOME (
   echo Warning: JAVA_HOME environment variable is not set. Defaulting to c:\apps\java
   set JAVA_HOME=c:\apps\java

bin/hbase-config.sh

@@ -162,6 +162,10 @@ fi
 # memory usage to explode. Tune the variable down to prevent vmem explosion.
 export MALLOC_ARENA_MAX=${MALLOC_ARENA_MAX:-4}
 
+# Disable the JNDI. This feature has critical REC vulnerability
+# when 2.x <= log4j.version <= 2.14.1
+export HBASE_OPTS = "$HBASE_OPTS -Dlog4j2.formatMsgNoLookups=true"
+
 # Now having JAVA_HOME defined is required 
 if [ -z "$JAVA_HOME" ]; then
     cat 1>&2 <<EOF

pom.xml

@@ -1746,7 +1746,7 @@
     <hamcrest.version>1.3</hamcrest.version>
     <opentelemetry.version>1.0.1</opentelemetry.version>
     <opentelemetry-javaagent.version>1.0.1</opentelemetry-javaagent.version>
-    <log4j2.version>2.14.1</log4j2.version>
+    <log4j2.version>2.15.0</log4j2.version>
     <mockito-core.version>2.28.2</mockito-core.version>
     <protobuf.plugin.version>0.6.1</protobuf.plugin.version>
     <thrift.path>thrift</thrift.path>