We installed AEM Forms JBoss 6.5.12 on WIN SERVER 2019. A recently Tenable nessus scan showed some log4j CVEs specifically v.1.2.14 from the following locations:
<plugin_output>
Path : M:\Temp\adobejb_server1\ArchiveStore\40\log4j-1.2.14.jar
Installed version : 1.2.14
Path : M:\Adobe\Adobe_Experience_Manager_Forms\sdk\client-libs\thirdparty\log4j-1.2.14.jar
Installed version : 1.2.14
Path : M:\Adobe\Adobe_Experience_Manager_Forms\deploy\adobe-edcserver-jboss.ear
Installed version : 1.2.14
</plugin_output>
The solution from tenable is to upgrade this to latest 2.17.2.
This v.1.2.14 version came with the installed package along with v.2.x. After talking to Adobe tech support, they say there's no fix/patch to remove v.1.x
My questions are:
1. how do i fix this?
2. can i just delete/remove these JAR and EAR files? do they have any dependencies that will break something?
Thank you for any assistance.