Support Questions

in cloudera 7.1.7 sp1 CDH-7.1.7-1.cdh7.1.7.p1050.30900109

We still can find log4j files in the below paths: 

[yarn@cnl CDH]$ find -name log4j-1.2.17-cloudera6.jar
./lib/hadoop/client/log4j-1.2.17-cloudera6.jar
./lib/hadoop/lib/log4j-1.2.17-cloudera6.jar
./lib/atlas/extractors/lib/aws-s3/log4j-1.2.17-cloudera6.jar
./lib/atlas/extractors/lib/azure-adls/log4j-1.2.17-cloudera6.jar
./lib/atlas/server/webapp/atlas/WEB-INF/lib/log4j-1.2.17-cloudera6.jar
./lib/queuemanager/lib/dependencies/log4j-1.2.17-cloudera6.jar
./lib/hadoop-hdfs/lib/log4j-1.2.17-cloudera6.jar
./lib/cruise_control/libs/log4j-1.2.17-cloudera6.jar
./lib/hbase-solr/lib/log4j-1.2.17-cloudera6.jar
./lib/hbase_connectors/lib/log4j-1.2.17-cloudera6.jar
./lib/hbase/lib/client-facing-thirdparty/log4j-1.2.17-cloudera6.jar
./lib/impala/lib/log4j-1.2.17-cloudera6.jar
./lib/kafka/libs/log4j-1.2.17-cloudera6.jar
./lib/knox/dep/log4j-1.2.17-cloudera6.jar
./lib/livy2/jars/log4j-1.2.17-cloudera6.jar
./lib/oozie/embedded-oozie-server/webapp/WEB-INF/lib/log4j-1.2.17-cloudera6.jar
./lib/oozie/lib/log4j-1.2.17-cloudera6.jar
./lib/oozie/libtools/log4j-1.2.17-cloudera6.jar
./lib/oozie/oozie-sharelib-yarn/lib/hcatalog/log4j-1.2.17-cloudera6.jar
./lib/oozie/oozie-sharelib-yarn/lib/hive/log4j-1.2.17-cloudera6.jar
./lib/oozie/oozie-sharelib-yarn/lib/oozie/log4j-1.2.17-cloudera6.jar
./lib/oozie/oozie-sharelib-yarn/lib/spark/log4j-1.2.17-cloudera6.jar
./lib/hadoop-ozone/share/ozone/lib/log4j-1.2.17-cloudera6.jar
./lib/phoenix_omid/lib/log4j-1.2.17-cloudera6.jar
./lib/ranger-kms/ews/webapp/lib/log4j-1.2.17-cloudera6.jar
./lib/ranger-admin/ews/lib/log4j-1.2.17-cloudera6.jar
./lib/ranger-admin/ews/webapp/WEB-INF/lib/log4j-1.2.17-cloudera6.jar
./lib/ranger-raz/webapp/ranger-raz/WEB-INF/lib/log4j-1.2.17-cloudera6.jar
./lib/ranger-tagsync/lib/log4j-1.2.17-cloudera6.jar
./lib/ranger-usersync/lib/log4j-1.2.17-cloudera6.jar
./lib/ranger-rms/ews/lib/log4j-1.2.17-cloudera6.jar
./lib/ranger-rms/ews/webapp/WEB-INF/lib/log4j-1.2.17-cloudera6.jar
./lib/schemaregistry/atlas-plugin/atlas-schema-registry-plugin-impl/log4j-1.2.17-cloudera6.jar
./lib/schemaregistry/libs/log4j-1.2.17-cloudera6.jar
./lib/schemaregistry/ranger-plugin/ranger-schema-registry-plugin-impl/log4j-1.2.17-cloudera6.jar
./lib/search/lib/log4j-1.2.17-cloudera6.jar
./lib/search/lib/search-crunch/log4j-1.2.17-cloudera6.jar
./lib/spark/jars/log4j-1.2.17-cloudera6.jar
./lib/streams_replication_manager/lib/log4j-1.2.17-cloudera6.jar
./lib/zeppelin/interpreter/angular/log4j-1.2.17-cloudera6.jar
./lib/zeppelin/interpreter/jdbc/log4j-1.2.17-cloudera6.jar
./lib/zeppelin/interpreter/livy/log4j-1.2.17-cloudera6.jar
./lib/zeppelin/interpreter/md/log4j-1.2.17-cloudera6.jar
./lib/zeppelin/interpreter/sh/log4j-1.2.17-cloudera6.jar
./lib/zeppelin/lib/interpreter/log4j-1.2.17-cloudera6.jar
./lib/zeppelin/lib/log4j-1.2.17-cloudera6.jar
./lib/zookeeper/lib/log4j-1.2.17-cloudera6.jar
./jars/log4j-1.2.17-cloudera6.jar

And also in below jar files, they also include the log4j-1.2.17-cloudera6.jar. Since it will be scanned out from our vulnerability scanning tools. May I know if this log4j jar is using and any solution to remove it? Thanks.

@VidyaSargur Thank you. @araujo @vaishaakb , 

As we knew, CDH 7.1.7 SP1 has already fixed log4j vulnerability issue. 

But when we arrange scanning in CDH path, but there are still log4j1 jar package in it. (details as in my above list). 

So would like to seek your help to see why the old log4j jars are still there and which version of CDH will exclude those old log4j jars. Thanks.