We started managing all log4j2 artifacts as a fix for https://issues.redhat.com/browse/ENTESB-17975 now we can stop doing so because:

• io.quarkus:quarkus-bom manages log4j-api version 2.17.1
• CE4Q uses community version 2.2.1 for non-productized extensions. In 2.2.1, NSQ and Corda extensions are fixed, not to depend on log4j-core anymore.

This requires a Release note, because it has a potential security impact on customers, something like:

----8<----
In CE4Q 2.2.1, we stopped managing the following artifacts because none of our extensions depends on those anymore:

• org.apache.logging.log4j:log4j-1.2-api
• org.apache.logging.log4j:log4j-core
• org.apache.logging.log4j:log4j-jcl
• org.apache.logging.log4j:log4j-jul
• org.apache.logging.log4j:log4j-slf4j-impl
• org.apache.logging.log4j:log4j-web

If your application adds a dependency on any of those, please make sure to use the newest version of Log4j 2.x to avoid any CVEs know in versions <2.17.1. Note that quarkus-bom still manages org.apache.logging.log4j:log4j-api
----8<----