Known issues in Cloudera Runtime 7.1.8
You must be aware of the known issues and limitations, the areas of impact, and workaround in Cloudera Runtime 7.1.8.
Log4j-1x remediation
CDP Private Cloud Base 7.1.7 SP1 and CDP Private Cloud Base 7.1.8 uses Reload4j and does not contain those CVEs but the files were renamed to log4j-1.2.17-cloudera6.jar. This still sets off scanners, but retained the log4j prefix that made for an easy transition for dependencies. In CDP Private Cloud Base 7.1.7 SP2, the log4j-1.2.17-cloudera6.jar files were renamed to reload4j-1.2.22.jar in the CDP parcel and should not set off scanners.
These remaining JARs are related to Cloudera Manager and are in 7.7.1 but 7.6.7 has them removed:
/opt/cloudera/parcels/CDH-7.1.8-1.cdh7.1.8.p0.30990532/jars/log4j-1.2.17-cloudera6.jar
/opt/cloudera/cm/cloudera-navigator-audit-server/log4j-1.2.17-cloudera6.jar
/opt/cloudera/cm/cloudera-navigator-server/jars/log4j-1.2.17-cloudera6.jar
/opt/cloudera/cm/cloudera-scm-telepub/jars/log4j-1.2.17-cloudera6.jar
/opt/cloudera/cm/common_jars/log4j-1.2.17-cloudera6.5e6c49dac2e98e54fc9a8438826fa763.jar
/opt/cloudera/cm/lib/log4j-1.2.17-cloudera6.jar
Workaround: To get every log4j-1x version replaced with ones named reload4j, you must be on CDP Private Cloud Base 7.1.8 latest Cumulative hotfixes or CDP Private Cloud Base 7.1.9 and associated Cloudera Manager versions. (CDP Private Cloud Base 7.1.7 SP1 uses reload4j but the name still says log4j).