Cloudera Docs

Known issues in Cloudera Runtime 7.1.7 SP1

You must be aware of the known issues and limitations, the areas of impact, and workaround in Cloudera Runtime 7.1.7 SP1.

Log4j-1x remediation

CDP Private Cloud Base 7.1.7 SP1 uses Reload4j and does not contain those CVEs but the files were renamed to log4j-1.2.17-cloudera6.jar. This still sets off scanners, but retained the log4j prefix that made for an easy transition for dependencies. In CDP Private Cloud Base 7.1.7 SP2, the log4j-1.2.17-cloudera6.jar files were renamed to reload4j-1.2.22.jar in the CDP parcel and should not set off scanners.

These remaining JARs are related to Cloudera Manager and are in 7.7.1 but 7.6.7 has them removed:

/opt/cloudera/cm/cloudera-navigator-audit-server/log4j-1.2.17-cloudera6.jar

/opt/cloudera/cm/cloudera-navigator-server/jars/log4j-1.2.17-cloudera6.jar

/opt/cloudera/cm/cloudera-scm-telepub/jars/log4j-1.2.17-cloudera6.jar

/opt/cloudera/cm/common_jars/log4j-1.2.17-cloudera6.5e6c49dac2e98e54fc9a8438826fa763.jar

/opt/cloudera/cm/lib/log4j-1.2.17-cloudera6.jar

Workaround: To get every log4j-1x version replaced with ones named reload4j, you must be on CDP Private Cloud Base 7.1.7 SP2 and Cloudera Manager 7.6.7. (CDP Private Cloud Base 7.1.7 SP1 uses reload4j but the name still says log4j).