Yaqian, thank you for the information! Best regards,
Shaofeng Shi 史少锋 Apache Kylin PMC, Apache Incubator PMC, Email: shaofeng...@apache.org Apache Kylin FAQ: https://kylin.apache.org/docs/gettingstarted/faq.html Join Kylin user mail group: user-subscr...@kylin.apache.org Join Kylin dev mail group: dev-subscr...@kylin.apache.org Yaqian Zhang <yaqian_zh...@126.com> 于2021年12月10日周五 18:58写道: > Hi all: > > This is a security notice about the impact analysis of Apache Log4j2 > Remote Code Execution Vulnerability on Apache Kylin. > Background > > Apache Log4j2 is a Java based logging tool, which is widely used in the > industry. The recently discovered Remote Code Execution Vulnerability of > Apache Log4j2 makes it possible for the program that introduces Apache > Log4j2 to be triggered Remote Code Execution by an attacker who construct a > special request. > Scope of influence > > The version range of Log4j2 with security vulnerabilities is: Apache Log4j > 2.x <= 2.14.1. > The currently released versions of Apache Kylin (Kylin 2.x, Kylin 3.x, > Kylin 4.x) use log4j version 1.2.17 by default. However, considering that > kylin's startup script will load jars from Hadoop environment, including > Hadoop, Spark, HBase, Hive and other components, the log4j version used in > Hadoop3 environment is generally Apache Log4j2, so if your Hadoop is above > version 3.0, it is recommended to upgrade the Log4j2 of Hadoop cluster, to > avoid the possibility of polluting kylin services. > Solution > > If the Hadoop component used by kylin user's environment uses Log4j2, the > user needs to comprehensively upgrade Log4j2 to the latest 2.15.0-rc2 to > prevent Kylin from loading the jar of Log4j2 with security risks into > Kylin's classpath through scripts. > After the log4j2 environment is fully upgraded, users can execute jinfo > `cat pid` under $KYLIN_HOME to check whether the jar packages such as > log4j-core-2.x.x.jar introduced by Kylin's classpath are the latest secure > Log4j2 versions. > > > Best Regards! > > Apache Kylin Team
