I replied to a user- post about this, but thought it was worth
repeating it here.
In https://issues.apache.org/jira/browse/CASSANDRA-5883 you can see
where Apache Cassandra never chose to use log4j2 (preferring logback
instead), and thus is not, and has never been, vulnerable to this RCE.
Kind Re
> I find it cleaner that work is found associated to one sha on the hardest
> > branch, and we treat (or should be) CI holistically across branches.
>
> If we -s ours and amend merge commits on things that straddle stuff like
> 8099, MS rewrite, Simulator, guardrails, etc, then we have multiple SHA
