https://bugzilla.redhat.com/show_bug.cgi?id=1725807
--- Comment #43 from Eric Christensen sparks@redhat.com --- Statement:
Red Hat OpenStack's OpenDaylight does not use logback in any supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected.
This vulnerability relies on logback-core (ch.qos.logback.core) being present in the application's ClassPath. Logback-core is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use logback-core are not impacted by this vulnerability.
This issue affects the versions of jackson-databind bundled with candlepin as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time.