Can I safely remove existing log4j files?

QUESTION:

We have a few scanners that look for log4j* files. Can we safely remove the files found from the RadiantOne install location?

 

ANSWER:

Some log4j files can be removed and others can be ignored. 

  • Regarding the upgrade-installer-migrations-lib jar files:
    <RadiantOne_Install_Location>\work\update-installer-migrations-lib\log4j-1.2-api-2.7.jar
    <RadiantOne_Install_Location>\work\update-installer-migrations-lib\log4j-api-2.7.jar
    <RadiantOne_Install_Location>\work\update-installer-migrations-lib\log4j-slf4j-impl-2.7.jar

These files are from the RadiantOne update installer used to patch a RadiantOne install. You can safely remove these files. Also, these files don't include the log4j-core-2.7.jar which is the jar containing the vulnerability, so there is no exploit risk.

  • Regarding the Apache Ant files:
    <RadiantOne_Install_Location>\ant\lib\ant-apache-log4j-1.7.0.jar
    <RadiantOne_Install_Location>\ant\lib\ant-apache-log4j-1.7.0.pom -> irrelevant, not an actual jar file.
    <RadiantOne_Install_Location>\ant\lib\ant-apache-log4j-1.7.0.pom.md5 -> irrelevant, not an actual jar file.
    <RadiantOne_Install_Location>\ant\lib\ant-apache-log4j-1.7.0.pom.sha1 -> irrelevant, not an actual jar file.

These files are from Apache Ant which we distribute with our product to compile/generate local jar files for customization purposes. There is no risk here: Apache Ant actually uses a very old version of Log4J1 (https://blogs.apache.org/security/entry/cve-2021-44228) that did not contain
the vulnerability (the vulnerability was introduced starting in Log4j2), so there is no exploit risk.
Removing these files can cause failures in Ant and issues with generating jar files used for custom/interception/transformation scripts. It is not recommended to remove these files.

  • Regarding the <RadiantOne_Install_Location>\apps\web\disabled\docs.war:WEB-INF/lib/log4j-core-2.14.1.jar:
    If the docs.war file is in the disabled folder, then removing it will not affect anything.

  • Regarding the <RadiantOne_Install_Location>\work\update-installer\resources\7.2.10\Migration_1\data\common\lib\log4j-core-2.7.jar
    You can safely remove this file.

 

 

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more