Hive3 log4j2 version

[xiang chen]

Hi~

I had tried to changing log4j2 jars from 2.10.0 to 2.1.5.0 (reasons based on [CVE-2021-44228]). I've found that other pods are running normally, but the mr3master pod will fail to find the log4j2 method. Could you please provide an image based on the new version of log4j2?

[Sungwoo Park]

Currently there is a problem with upgrading Log4j 2 to 2.15.0, so you could use a quickfix by adding kubernetes/conf/hive-log4j2.properties:

log4j2.formatMsgNoLookups=true

Or, you rebuild the Docker image after adding -Dlog4j2.formatMsgNoLookups=true' in hive/hive/hive-setup.sh, hive_setup_config_hive_logs:

export HADOOP_OPTS="-Dlog4j2.formatMsgNoLookups=true -Dhive.log.dir=$output_dir -Dhive.log.file=$log_filename"

MR3 DAGAppMaster should be safe as long as Prometheus is not enabled.

We will release a new Docker image with MR3 1.4. Due to additional CVEs discovered lately, we will try to upgrade Log4j2 to 2.16+.

Cheers,

--- Sungwoo