Further CVEs have been reported against log4j-core – CVE-2021-45105 and CVE-2021-44832. WildFly and WildFly Core don't ship log4j-core, only log4j-api but it's simpler just to move to Log4j releases that don't match the CPE for the CVEs than to explain the api vs core distinction.

This is already fixed in main via the dependabot PR https://github.com/wildfly/wildfly-core/pull/4913, but this JIRA can serve to flag it up in the release notes. For 18.x I'll send up a PR.