https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #23 from Eric Christensen sparks@redhat.com --- Statement:
OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity. The references to the library only occur in the x-pack component which is an enterprise-only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive container only references velocity in the testutils of the code but the code still exists in the container, as such it has been given a Moderate impact.
Velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code.
Although velocity shipped in Red Hat Enterprise Linux 8's pki-deps for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki.