https://bugzilla.redhat.com/show_bug.cgi?id=2030932
Greg Scott <gscott(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |gscott(a)redhat.com
--- Comment #123 from Greg Scott <gscott(a)redhat.com> ---
> We are running: rhvm-4.4.9.5-0.1.el8ev.noarch
>
> Our question is what is the impact of removing the log4j RPM's on a Hosted
> Engine?
>
> We have these log4j RPMs installed:
> # rpm -qa | grep log4j
> log4j12-1.2.17-22.module+el8+2598+06babf2e.noarch
> ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.noarch
> eap7-log4j2-jboss-logmanager-1.0.0-1.Final_redhat_00001.1.el8eap.noarch
> eap7-log4j-jboss-logmanager-1.2.0-1.Final_redhat_00001.1.el8eap.noarch
> eap7-log4j-2.14.0-1.redhat_00002.1.el8eap.noarch
>
> What is the impact of removing them? Specifically, can we remove the 2.14
> version without impact? Is this affected by the CVE?
RHVM 4.4.z should not install any any log4j v2 at all. See the diagnostic steps
in https://access.redhat.com/solutions/6611691 for the log4j components
installed with RHVM 4.4.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2030932
https://bugzilla.redhat.com/show_bug.cgi?id=2030932
--- Comment #122 from Mike Murphy <micmurph(a)redhat.com> ---
(In reply to Stoyan Nikolov from comment #67)
> Red Hat Virtualization ships rhvm-appliance which includes a vulnerable
> version of log4j released by Red Hat EAP. Once EAP releases a fixed version
> of the package Red Hat Virtualization users can consume the fix with a
> regular update via the package manager inside the rhvm-appliance.
We are running: rhvm-4.4.9.5-0.1.el8ev.noarch
Our question is what is the impact of removing the log4j RPM's on a Hosted
Engine?
We have these log4j RPMs installed:
# rpm -qa | grep log4j
log4j12-1.2.17-22.module+el8+2598+06babf2e.noarch
ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.noarch
eap7-log4j2-jboss-logmanager-1.0.0-1.Final_redhat_00001.1.el8eap.noarch
eap7-log4j-jboss-logmanager-1.2.0-1.Final_redhat_00001.1.el8eap.noarch
eap7-log4j-2.14.0-1.redhat_00002.1.el8eap.noarch
What is the impact of removing them? Specifically, can we remove the 2.14
version without impact? Is this affected by the CVE?
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2030932