We're currently running RFT / RPT version 10.2.1. Security bulletins indicate that only certain RFT 9.x versions and the RPT JMeter test extension (which we're not using) are susceptible.
I need to confirm that we do not need to install the Service Refresh 7 for IBM Java Runtime Technology version 8.0.
Sorry for late response, there was a site issue responding to questions.
RFT is unaffected ref https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
RPT security bulletin is at https://www.ibm.com/support/pages/node/6538090
Updating java is not a remediation step and unless specifically mentioned to do so in a security bulletin it would be an supported configuration