HBASE-26557 log4j2 has a critical RCE vulnerability

[YutSean]

https://issues.apache.org/jira/browse/HBASE-26557

[Apache-HBase]

🎊 +1 overall

Vote	Subsystem	Runtime	Comment
+0 🆗	reexec	2m 57s	Docker mode activated.
		_ Prechecks _
+1 💚	dupname	0m 0s	No case conflicting files found.
+1 💚	@author	0m 0s	The patch does not contain any @author tags.
		_ master Compile Tests _
+1 💚	mvninstall	4m 29s	master passed
+1 💚	compile	10m 16s	master passed
		_ Patch Compile Tests _
+1 💚	mvninstall	4m 21s	the patch passed
+1 💚	compile	9m 26s	the patch passed
+1 💚	javac	9m 26s	the patch passed
+1 💚	whitespace	0m 0s	The patch has no whitespace issues.
+1 💚	xml	0m 2s	The patch has no ill-formed XML file.
+1 💚	hadoopcheck	21m 41s	Patch does not cause any errors with Hadoop 3.1.2 3.2.2 3.3.1.
		_ Other Tests _
+1 💚	asflicense	0m 17s	The patch does not generate ASF License warnings.
		61m 54s

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/1/artifact/yetus-general-check/output/Dockerfile
GITHUB PR	#3933
Optional Tests	dupname asflicense javac hadoopcheck xml compile
uname	Linux c105ed694fdd 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / b5cf3cd
Default Java	AdoptOpenJDK-1.8.0_282-b08
Max. process+thread count	141 (vs. ulimit of 30000)
modules	C: . U: .
Console output	https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/1/console
versions	git=2.17.1 maven=3.6.3
Powered by	Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

[Apache9]

And I suggest that we add -Dlog4j2.formatMsgNoLookups=true in the start scripts to disable JNDI completely, we do not need this feature in HBase, typically.

[YutSean]

Added the parameter to the start script.

[Apache-HBase]

🎊 +1 overall

Vote	Subsystem	Runtime	Comment
+0 🆗	reexec	2m 0s	Docker mode activated.
-0 ⚠️	yetus	0m 3s	Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --whitespace-eol-ignore-list --whitespace-tabs-ignore-list --quick-hadoopcheck
		_ Prechecks _
		_ master Compile Tests _
+1 💚	mvninstall	6m 16s	master passed
+1 💚	compile	4m 3s	master passed
+1 💚	shadedjars	10m 37s	branch has no errors when building our shaded downstream artifacts.
+1 💚	javadoc	4m 15s	master passed
		_ Patch Compile Tests _
+1 💚	mvninstall	6m 15s	the patch passed
+1 💚	compile	4m 29s	the patch passed
+1 💚	javac	4m 29s	the patch passed
+1 💚	shadedjars	11m 32s	patch has no errors when building our shaded downstream artifacts.
+1 💚	javadoc	4m 12s	the patch passed
		_ Other Tests _
+1 💚	unit	281m 31s	root in the patch passed.
		337m 44s

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/1/artifact/yetus-jdk11-hadoop3-check/output/Dockerfile
GITHUB PR	#3933
Optional Tests	javac javadoc unit shadedjars compile
uname	Linux 4f8617a21f3c 4.15.0-163-generic #171-Ubuntu SMP Fri Nov 5 11:55:11 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / b5cf3cd
Default Java	AdoptOpenJDK-11.0.10+9
Test Results	https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/1/testReport/
Max. process+thread count	4429 (vs. ulimit of 30000)
modules	C: . U: .
Console output	https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/1/console
versions	git=2.17.1 maven=3.6.3
Powered by	Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

[Apache-HBase]

💔 -1 overall

Vote	Subsystem	Runtime	Comment
+0 🆗	reexec	0m 26s	Docker mode activated.
-0 ⚠️	yetus	0m 3s	Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --whitespace-eol-ignore-list --whitespace-tabs-ignore-list --quick-hadoopcheck
		_ Prechecks _
		_ master Compile Tests _
+1 💚	mvninstall	4m 11s	master passed
+1 💚	compile	2m 44s	master passed
+1 💚	shadedjars	8m 19s	branch has no errors when building our shaded downstream artifacts.
+1 💚	javadoc	2m 25s	master passed
		_ Patch Compile Tests _
+1 💚	mvninstall	3m 52s	the patch passed
+1 💚	compile	2m 55s	the patch passed
+1 💚	javac	2m 55s	the patch passed
+1 💚	shadedjars	8m 45s	patch has no errors when building our shaded downstream artifacts.
+1 💚	javadoc	2m 16s	the patch passed
		_ Other Tests _
-1 ❌	unit	369m 25s	root in the patch failed.
		408m 2s

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/1/artifact/yetus-jdk8-hadoop3-check/output/Dockerfile
GITHUB PR	#3933
Optional Tests	javac javadoc unit shadedjars compile
uname	Linux 675c2f493b85 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / b5cf3cd
Default Java	AdoptOpenJDK-1.8.0_282-b08
unit	https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/1/artifact/yetus-jdk8-hadoop3-check/output/patch-unit-root.txt
Test Results	https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/1/testReport/
Max. process+thread count	5740 (vs. ulimit of 30000)
modules	C: . U: .
Console output	https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/1/console
versions	git=2.17.1 maven=3.6.3
Powered by	Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

[Apache-HBase]

🎊 +1 overall

Vote	Subsystem	Runtime	Comment
+0 🆗	reexec	1m 17s	Docker mode activated.
		_ Prechecks _
+1 💚	dupname	0m 0s	No case conflicting files found.
+0 🆗	shelldocs	0m 0s	Shelldocs was not available.
+1 💚	@author	0m 0s	The patch does not contain any @author tags.
		_ master Compile Tests _
+1 💚	mvninstall	4m 6s	master passed
+1 💚	compile	9m 5s	master passed
		_ Patch Compile Tests _
+1 💚	mvninstall	3m 50s	the patch passed
+1 💚	compile	9m 4s	the patch passed
+1 💚	javac	9m 4s	the patch passed
+1 💚	shellcheck	0m 1s	There were no new shellcheck issues.
+1 💚	whitespace	0m 0s	The patch has no whitespace issues.
+1 💚	xml	0m 2s	The patch has no ill-formed XML file.
+1 💚	hadoopcheck	20m 27s	Patch does not cause any errors with Hadoop 3.1.2 3.2.2 3.3.1.
		_ Other Tests _
+1 💚	asflicense	0m 17s	The patch does not generate ASF License warnings.
		56m 7s

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/2/artifact/yetus-general-check/output/Dockerfile
GITHUB PR	#3933
Optional Tests	dupname asflicense shellcheck shelldocs javac hadoopcheck xml compile
uname	Linux 10b25338f9e6 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / b5cf3cd
Default Java	AdoptOpenJDK-1.8.0_282-b08
Max. process+thread count	141 (vs. ulimit of 30000)
modules	C: . U: .
Console output	https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/2/console
versions	git=2.17.1 maven=3.6.3 shellcheck=0.4.6
Powered by	Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

[Apache-HBase]

🎊 +1 overall

Vote	Subsystem	Runtime	Comment
+0 🆗	reexec	0m 26s	Docker mode activated.
-0 ⚠️	yetus	0m 4s	Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --whitespace-eol-ignore-list --whitespace-tabs-ignore-list --quick-hadoopcheck
		_ Prechecks _
		_ master Compile Tests _
+1 💚	mvninstall	4m 44s	master passed
+1 💚	compile	3m 11s	master passed
+1 💚	shadedjars	8m 15s	branch has no errors when building our shaded downstream artifacts.
+1 💚	javadoc	2m 56s	master passed
		_ Patch Compile Tests _
+1 💚	mvninstall	4m 24s	the patch passed
+1 💚	compile	3m 9s	the patch passed
+1 💚	javac	3m 9s	the patch passed
+1 💚	shadedjars	8m 11s	patch has no errors when building our shaded downstream artifacts.
+1 💚	javadoc	2m 54s	the patch passed
		_ Other Tests _
+1 💚	unit	187m 54s	root in the patch passed.
		229m 11s

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/2/artifact/yetus-jdk11-hadoop3-check/output/Dockerfile
GITHUB PR	#3933
Optional Tests	javac javadoc unit shadedjars compile
uname	Linux cb5727be8133 4.15.0-156-generic #163-Ubuntu SMP Thu Aug 19 23:31:58 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / b5cf3cd
Default Java	AdoptOpenJDK-11.0.10+9
Test Results	https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/2/testReport/
Max. process+thread count	7261 (vs. ulimit of 30000)
modules	C: . U: .
Console output	https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/2/console
versions	git=2.17.1 maven=3.6.3
Powered by	Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

[gjacoby126]

+1. According to the CVE, the formatMsgNoLookups=true flag is only required if NOT upgrading to 2.15, but I see no harm in being explicit since we don't use the JNDI lookup anyway.

[Apache-HBase]

💔 -1 overall

Vote	Subsystem	Runtime	Comment
+0 🆗	reexec	0m 25s	Docker mode activated.
-0 ⚠️	yetus	0m 3s	Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --whitespace-eol-ignore-list --whitespace-tabs-ignore-list --quick-hadoopcheck
		_ Prechecks _
		_ master Compile Tests _
+1 💚	mvninstall	4m 12s	master passed
+1 💚	compile	2m 46s	master passed
+1 💚	shadedjars	8m 17s	branch has no errors when building our shaded downstream artifacts.
+1 💚	javadoc	2m 16s	master passed
		_ Patch Compile Tests _
+1 💚	mvninstall	3m 46s	the patch passed
+1 💚	compile	2m 40s	the patch passed
+1 💚	javac	2m 40s	the patch passed
+1 💚	shadedjars	8m 13s	patch has no errors when building our shaded downstream artifacts.
+1 💚	javadoc	2m 13s	the patch passed
		_ Other Tests _
-1 ❌	unit	363m 41s	root in the patch failed.
		401m 1s

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/2/artifact/yetus-jdk8-hadoop3-check/output/Dockerfile
GITHUB PR	#3933
Optional Tests	javac javadoc unit shadedjars compile
uname	Linux f52bf0f7cd92 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / b5cf3cd
Default Java	AdoptOpenJDK-1.8.0_282-b08
unit	https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/2/artifact/yetus-jdk8-hadoop3-check/output/patch-unit-root.txt
Test Results	https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/2/testReport/
Max. process+thread count	5258 (vs. ulimit of 30000)
modules	C: . U: .
Console output	https://ci-hadoop.apache.org/job/HBase/job/HBase-PreCommit-GitHub-PR/job/PR-3933/2/console
versions	git=2.17.1 maven=3.6.3
Powered by	Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.