Hi, I have a web application which I use *Apache Tomcat* as the web container. Also, I was using the* log4j framework* with version "*1.2.8*" to keep logs. When I learned that log4j was *vulnerable*, I tried to uninstall it. Because I want to make sure it's not vulnerable before using it again.
I use one of the Linux distributions. First of all, I ran the "*find*" command to get locations of log4j files and removed "*log4j-1.2.8.jar*" and "*log4j.properties*" files which were only files that I got from find query. Then I ran the "*grep*" command to make sure log4j is *not shaded* inside of other jar files. So I removed the "*/org/apache/log4j*" folder and *log4j.properties* file from my other jars. Also I modified the " *config.dtd*" file in which I saw some log4j parts inside of that file. But still "grep" gives me some output because of references in other loggers like "*common.logging*". Also I use "*axis.jar*" which I know axis' *default *logger is log4j and I don't know whether I should do something inside of it or not. To sum up, I still do not know whether I *successfully removed* log4j from my system *or not*. Because I have "log4j:WARN No appenders could be found for logger" and "log4j:WARN Please initialize the log4j system properly." logs inside "*catalina.out*". The referencing class is " org.apache.axis.transport.http.AxisServlet". I am looking forward to hearing from you. Thanks, *Ahmet KURT*
