Why does log4j-1.2.17.jar keep appearing

Everytime I reboot or update lucee, log4j-1.2.17.jar keeps re-appearing under Lucee,tomcat,lucee-server,bundles.

Running most recent stable version I was under the impression that ALL bundled log4j 1.2.X versions were removed. How do I keep this jar file from re-appearing?

I would make sure you are using the latest Lucee jar and not just an under version of Lucee with an updated core file. Also, the jar may be coming from an extension that’s not part of the Lucee core.

This is what I have under extension, applications.

And what of my other question? The Lucee jar (loader) version?

It’s been updated as well.

This confirms the version via the 8888 web interface.

The second screenshot doesn’t show the loader version, just the core version. The first screenshot is what we needed though.

All I can think of is to

  • dig through your lucee jar and see if that jar exists in the packaged bundled folder
  • dig into each installed extension lex and see if it’s in any of those bundles folders
  • Enable the Lucee setting to disallow bundle downloads and see if Lucee blows up in the console logs when some code asks for it to be downloaded. System Properties and Environment Variables :: Lucee Documentation

what do you see under bundles in the server admin?

bump up the deploy log level to info and do the stop, delete restart?

fresh install or upgrade? what’s the lucee var version in the /lucee/lib folder (aka the loader)