With regard to mitigating actions for the log4j2 RCE issues. We have several instances, e.g., oracle client installations on windows 2012 r2, where it appears that while a version of a log4j2 jar is present, usually version 1.x, it is not being used. Apache is not installed.
Can I just rename the jar to another file type? For example log4j2.jar to log4j2.jar.old.
Will this remove or disable log4j vulnerability?
Let’s start by addressing some misconceptions here:
Apache HTTP Server and Log4j are unrelated software, so the latter can be used in absence of the former.
When Log4j is distributed as part of an application, you can generally assume that this application uses it, as logging is generally a central aspect of an application’s support tools. Removing the library (or changing its extension) is likely to make the application crash or misbehave.
Log4j 2 is intentionally not backwards compatible with Log4j 1 (it allows to include both in the same application), so you cannot just replace Log4j 1 with 2.
Manually upgrading Log4j 2 to the latest version may work (depending on the originally used version), but the best option is to contact the application vendor to get a fix, and upgrade the application as necessary.