From 00002bdb8cca8f4edf35c236d13496cbc6718f35 Mon Sep 17 00:00:00 2001
From: Yutong Sean <yutongsean@gmail.com>
Date: Fri, 10 Dec 2021 12:15:54 +0800
Subject: [PATCH 1/4] HBASE-26557 log4j2 has a critical RCE vulnerability

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 065f66530533..21946ec3db47 100755
--- a/pom.xml
+++ b/pom.xml
@@ -1746,7 +1746,7 @@
     <hamcrest.version>1.3</hamcrest.version>
     <opentelemetry.version>1.0.1</opentelemetry.version>
     <opentelemetry-javaagent.version>1.0.1</opentelemetry-javaagent.version>
-    <log4j2.version>2.14.1</log4j2.version>
+    <log4j2.version>2.15.0</log4j2.version>
     <mockito-core.version>2.28.2</mockito-core.version>
     <protobuf.plugin.version>0.6.1</protobuf.plugin.version>
     <thrift.path>thrift</thrift.path>

From eedb1c979e0801c17a36cfb5e760160f50f12fef Mon Sep 17 00:00:00 2001
From: Yutong Sean <yutongsean@gmail.com>
Date: Fri, 10 Dec 2021 14:54:26 +0800
Subject: [PATCH 2/4] Added the start script to diable JNDI completely

---
 bin/hbase-config.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/bin/hbase-config.sh b/bin/hbase-config.sh
index 3e85ec59fb63..6b6a4fc8d1b8 100644
--- a/bin/hbase-config.sh
+++ b/bin/hbase-config.sh
@@ -162,6 +162,9 @@ fi
 # memory usage to explode. Tune the variable down to prevent vmem explosion.
 export MALLOC_ARENA_MAX=${MALLOC_ARENA_MAX:-4}
 
+# Disable the JNDI. This feature has critical REC vulnerability when log4j version <= 2.14.1
+export HBASE_OPTS = "$HBASE_OPTS -Dlog4j2.formatMsgNoLookups=true"
+
 # Now having JAVA_HOME defined is required 
 if [ -z "$JAVA_HOME" ]; then
     cat 1>&2 <<EOF

From 5c409bedeaa299097f92b53b246bdd0bfdf27ea4 Mon Sep 17 00:00:00 2001
From: Yutong Sean <yutongsean@gmail.com>
Date: Fri, 10 Dec 2021 15:14:44 +0800
Subject: [PATCH 3/4] Refine the comment ddescription

---
 bin/hbase-config.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bin/hbase-config.sh b/bin/hbase-config.sh
index 6b6a4fc8d1b8..10be5b749050 100644
--- a/bin/hbase-config.sh
+++ b/bin/hbase-config.sh
@@ -162,7 +162,8 @@ fi
 # memory usage to explode. Tune the variable down to prevent vmem explosion.
 export MALLOC_ARENA_MAX=${MALLOC_ARENA_MAX:-4}
 
-# Disable the JNDI. This feature has critical REC vulnerability when log4j version <= 2.14.1
+# Disable the JNDI. This feature has critical REC vulnerability
+# when 2.x <= log4j.version <= 2.14.1
 export HBASE_OPTS = "$HBASE_OPTS -Dlog4j2.formatMsgNoLookups=true"
 
 # Now having JAVA_HOME defined is required 

From 536d1d4ca446354917fe6c5c4dca6b6ff9ca0103 Mon Sep 17 00:00:00 2001
From: Yutong Sean <yutongsean@gmail.com>
Date: Fri, 10 Dec 2021 18:09:56 +0800
Subject: [PATCH 4/4] Disable JNDI in windows cmd

---
 bin/hbase-config.cmd | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/bin/hbase-config.cmd b/bin/hbase-config.cmd
index 3b7b713abfd2..f0a972815a51 100644
--- a/bin/hbase-config.cmd
+++ b/bin/hbase-config.cmd
@@ -67,6 +67,10 @@ if exist "%HBASE_CONF_DIR%\hbase-env.cmd" (
   call "%HBASE_CONF_DIR%\hbase-env.cmd"
 )
 
+@rem Disable the JNDI. This feature has critical REC vulnerability.
+@rem when 2.x <= log4j.version <= 2.14.1
+set HBASE_OPTS=%HBASE_OPTS% -Dlog4j2.formatMsgNoLookups=true
+
 if not defined JAVA_HOME (
   echo Warning: JAVA_HOME environment variable is not set. Defaulting to c:\apps\java
   set JAVA_HOME=c:\apps\java