Wildfly 9 and 18 logmanager

[Shiva Kumar]

I am using wildfly 9 and 18 which is using log4j 1.2.16 in log4j-jboss-logmanager module which is vulnerable. I have seen some solutions by deleting JMSadapter and Lookup classes from server source.But i want to migrate log4j 1.2.16 to log4j2 version or migrate module it self for more security reasons.please tell me how can this is achievable?

[James Perkins]

The vulnerability you're thinking of does not affect log4j1. There is a CVE in log4j 1, but it only has to do with the JMSAppender. If you're not using a log4j 1 configuration file in your deployment that creates a JMSAppender you've got no issues. Even then you'd likely still not be vulnerable.

If you use log4j 2 in your deployment you'll want to upgrade it to 2.17.1 and redeploy it.