Making unused log4j2 jar libs safe

Question

With regard to mitigating actions for the log4j2 RCE issues. We have several instances, e.g., oracle client installations on windows 2012 r2, where it appears that while a version of a log4j2 jar is present, usually version 1.x, it is not being used. Apache is not installed.

Can I just rename the jar to another file type? For example log4j2.jar to log4j2.jar.old.

Will this remove or disable log4j vulnerability?

Answer 1

Let’s start by addressing some misconceptions here:

• The Apache Software Foundation is a nonprofit organization supporting the development of opensource software.
• The Apache HTTP Server, often referred to as Apache, is a web server.
• Apache Log4j is a logging library for Java applications.
  • Log4j 2 (< 2.15.0) is affected by the Log4shell vulnerability. More specifically, the vulnerability is in log4j-core (not log4j-api for instance).
  • Log4j 1, which has not been maintained since 2015, is not affected by this vulnerability (but it is affected by others).

Apache HTTP Server and Log4j are unrelated software, so the latter can be used in absence of the former.

When Log4j is distributed as part of an application, you can generally assume that this application uses it, as logging is generally a central aspect of an application’s support tools. Removing the library (or changing its extension) is likely to make the application crash or misbehave.

Log4j 2 is intentionally not backwards compatible with Log4j 1 (it allows to include both in the same application), so you cannot just replace Log4j 1 with 2.

Manually upgrading Log4j 2 to the latest version may work (depending on the originally used version), but the best option is to contact the application vendor to get a fix, and upgrade the application as necessary.