Why does log4j-1.2.17.jar keep appearing

stondino00 · November 15, 2022, 6:44pm

Everytime I reboot or update lucee, log4j-1.2.17.jar keeps re-appearing under Lucee,tomcat,lucee-server,bundles.

Running most recent stable version 5.3.9.166. I was under the impression that ALL bundled log4j 1.2.X versions were removed. How do I keep this jar file from re-appearing?

bdw429s · November 15, 2022, 6:49pm

I would make sure you are using the latest Lucee jar and not just an under version of Lucee with an updated core file. Also, the jar may be coming from an extension that’s not part of the Lucee core.

stondino00 · November 15, 2022, 7:07pm

This is what I have under extension, applications.

bdw429s · November 15, 2022, 7:08pm

And what of my other question? The Lucee jar (loader) version?

stondino00 · November 15, 2022, 7:55pm

It’s been updated as well.

stondino00 · November 15, 2022, 7:56pm

This confirms the version via the 8888 web interface.

bdw429s · November 15, 2022, 9:59pm

The second screenshot doesn’t show the loader version, just the core version. The first screenshot is what we needed though.

All I can think of is to

dig through your lucee jar and see if that jar exists in the packaged bundled folder
dig into each installed extension lex and see if it’s in any of those bundles folders
Enable the Lucee setting to disallow bundle downloads and see if Lucee blows up in the console logs when some code asks for it to be downloaded. System Properties and Environment Variables :: Lucee Documentation

Zackster · November 16, 2022, 8:41am

what do you see under bundles in the server admin?

bump up the deploy log level to info and do the stop, delete restart?

fresh install or upgrade? what’s the lucee var version in the /lucee/lib folder (aka the loader)