The Open Distro deb and rpm packages are built on top of the upstream Elasticsearch deb and rpm packages, and those upstream packages are what contains the Log4j2 jars. So we’ve been looking really hard at what the options are for distributing a release that contains a fix, and there are fewer options here than there are for the .tgz and Docker builds.
Right now it looks like we’d need to develop a deb & rpm packaging process more or less from scratch, and doing that in a way that retains backward compatibility and upgradeability for existing users is underway and will likely take several weeks of development.
If you’re using Open Distro < 1.13.2 or the Open Distro 1.13.2 deb/rpm packages, please apply one of the mitigations from the Log4j2 website in the section beginning “For those who cannot upgrade to 2.15.0…”. All users can and should do this immediately, while we work to create deb/rpm packages that have at least one of these mitigations built-in by default.