log4j CVE not being reflected in the charm

Hi all,

I have been working on with a user on the graylog charm wrt CVE-2021-44228.

By default, the CVE is applied as per version 2.5.2 and rev 28 of the snap

When we specify jvm_heap_size parameter in the charm, this then adds the file /var/snap/graylog/current/default-graylog-server with the some of the options, but not all default ones that are baked into the snap.

Below is the contents of this file, when we have jvm_heap_size=2G

~~~
# Path to the java executable.
JAVA=/usr/bin/java

# Default Java options for heap and garbage collection.
GRAYLOG_SERVER_JAVA_OPTS="-Xms2g -Xmx2g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow"

# Pass some extra args to graylog-server. (i.e. "-d" to enable debug mode)
GRAYLOG_SERVER_ARGS=""

# Program that will be used to wrap the graylog-server command. Useful to
# support programs like authbind.
GRAYLOG_COMMAND_WRAPPER=""
~~~

We can see from the above, the config option of "-Dlog4j2.formatMsgNoLookups=true" does not exist.

I have tested this on the newest graylog-50 charm, and the issue is still there