Is Glyptodon Enterprise affected?

No. Glyptodon Enterprise does not use Log4j and is not affected by CVE-2021-44228. Glyptodon and Apache Guacamole use Logback as their logging backend.

My Tomcat package from Red Hat 7 comes with Log4j. Am I affected?

The older version of Log4j 1.x used by the Tomcat package provided with Red Hat 7 is not affected by CVE-2021-44228, but may be affected by a similar issue if it has been manually reconfigured to use the “JMSAppender” class:

If you have manually reconfigured Tomcat’s logging to use JMSAppender since it was originally installed, you should either remove usage of JMSAppender or migrate to a newer version of Tomcat.

As of Glyptodon Enterprise 2.5 (released 2021-09-16), new installations will typically use the “glyptodon-guacamole-standalone” package, which includes its own, newer version of Tomcat that is unaffected. If you have an older installation that uses the Red Hat package of Tomcat and wish to migrate, you can do so by removing the old “tomcat” package and installing “glyptodon-guacamole-standalone” instead:

$ sudo yum remove tomcat
$ sudo yum install glyptodon-guacamole-standalone
$ sudo systemctl start guacamole
$ sudo systemctl enable guacamole