We recently switched to using Corretto Java 11 and I noticed that something called log4j-cve-2021-44228-hotpatch gets installed as a dependency. This package executes a script that appears to be modifying the Java runtime to install an agent that will somehow patch vulnerable versions of log4j. Looking at journalctl, I see this script runs every 30 minutes.
We don't use log4j and we don't have it installed on our EC2 instances. We have over 100 EC2 instances. Is there an easy way to permanently remove this tool or do we have to switch to the OpenJDK Java release?
