There is a CVE in log4j1 that can be mitigated by ripping out the problematic class. For example:
zip -d /opt/hadoop/share/hadoop/common/lib/log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class zip -d /opt/hadoop/share/hadoop/hdfs/lib/log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class Testing here with Apache 3.2.2 has found that Hadoop has no interest in the JMSAppender. -danny On Fri, Dec 17, 2021 at 1:59 AM Brahma Reddy Battula <[email protected]> wrote: > > > CVE-2021-44228 states that, it will affect the Apache Log4j2 2.0-beta9 > through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in > configuration, log messages, and parameters do not protect against attacker > controlled LDAP and other JNDI related endpoints *And hadoop uses the > log4j1 (1.2.17) so it will not impact.* > > > > Please go through the following link for affected apache projects. > > https://blogs.apache.org/security/entry/cve-2021-44228 > > On Thu, Dec 16, 2021 at 4:25 PM Rupert Mazzucco <[email protected]> > wrote: > >> The hadoop.apache.org page is curiously silent about this, and there is >> no CVE. Isn't this library used in Hadoop? Pretty sure I saw >> log4j.properties somewhere. Can anybody shed some light on the >> vulnerability of a Hadoop installation? Can it be exploited via RPC? The >> HDFS or YARN web interface? The command line? >> >> Thanks >> Rupert >> >> > > -- > > > > --Brahma Reddy Battula > -- http://dannyman.toldme.com
