https://bugzilla.redhat.com/show_bug.cgi?id=2030932
--- Comment #122 from Mike Murphy micmurph@redhat.com --- (In reply to Stoyan Nikolov from comment #67)
Red Hat Virtualization ships rhvm-appliance which includes a vulnerable version of log4j released by Red Hat EAP. Once EAP releases a fixed version of the package Red Hat Virtualization users can consume the fix with a regular update via the package manager inside the rhvm-appliance.
We are running: rhvm-4.4.9.5-0.1.el8ev.noarch
Our question is what is the impact of removing the log4j RPM's on a Hosted Engine?
We have these log4j RPMs installed: # rpm -qa | grep log4j log4j12-1.2.17-22.module+el8+2598+06babf2e.noarch ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.noarch eap7-log4j2-jboss-logmanager-1.0.0-1.Final_redhat_00001.1.el8eap.noarch eap7-log4j-jboss-logmanager-1.2.0-1.Final_redhat_00001.1.el8eap.noarch eap7-log4j-2.14.0-1.redhat_00002.1.el8eap.noarch
What is the impact of removing them? Specifically, can we remove the 2.14 version without impact? Is this affected by the CVE?
java-sig-commits@lists.fedoraproject.org