https://bugzilla.redhat.com/show_bug.cgi?id=1785617
Alex Scheel ascheel@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED CC| |ascheel@redhat.com Resolution|--- |NOTABUG Last Closed| |2020-01-07 03:13:02
--- Comment #3 from Alex Scheel ascheel@redhat.com --- Per upstream thread, this CVE affects up to 2.8.1. The minimum version shipped in Fedora is 2.11.1; thus we aren't impacted in this component. log4j12 still is potentially vulnerable, but that's a separate package.