Is Glyptodon Enterprise affected?
My Tomcat package from Red Hat 7 comes with Log4j. Am I affected?
The older version of Log4j 1.x used by the Tomcat package provided with Red Hat 7 is not affected by CVE-2021-44228, but may be affected by a similar issue if it has been manually reconfigured to use the “JMSAppender” class:
If you have manually reconfigured Tomcat’s logging to use
JMSAppender since it was originally installed, you should either remove usage of
JMSAppender or migrate to a newer version of Tomcat.
As of Glyptodon Enterprise 2.5 (released 2021-09-16), new installations will typically use the “glyptodon-guacamole-standalone” package, which includes its own, newer version of Tomcat that is unaffected. If you have an older installation that uses the Red Hat package of Tomcat and wish to migrate, you can do so by removing the old “tomcat” package and installing “glyptodon-guacamole-standalone” instead: