To address CVE-2019-17571 flagged by a client I'm trying to upgrade Log4j 1.2.x used within our jfreechart-based Rails application to Log4j 2 (following the instructions here). However, I couldn't tell which Java library is still using the old Log4j 1.x imports. Here's the error I'm seeing in Rails log (the Java charting application is loaded via RJB):
$ tail -f production_log.2020-03-29
FATAL 2020-03-29 16:58:49 30512 NoClassDefFoundError (org/apache/log4j/Logger):
lib/chart_interface.rb:24:in 'method_missing'
lib/chart_interface.rb:24:in 'createChart'
app/controllers/dash_controller.rb:565:in 'resources_info'
Is this a good way to find out which third-party Java libraries are using the old Log4j 1.x imports?
$ ls -ltr
total 8756
-rw-r----- 1 root ainet 391430 Oct 5 02:16 log4j-1.2.15.jar.old
-rwxr-x--- 1 root ainet 1801249 Mar 26 03:15 wig.jar
-rwxr-x--- 1 root ainet 288911 Mar 26 03:15 tcommon-2.1.jar
-rwxr-x--- 1 root ainet 657841 Mar 26 03:15 postgresql-9.4-1202.jdbc42.jar
-rwxr-x--- 1 root ainet 1702810 Mar 26 03:15 log4j-core-2.13.1.jar
-rwxr-x--- 1 root ainet 292243 Mar 26 03:15 log4j-api-2.13.1.jar
-rwxr-x--- 1 root ainet 1425744 Mar 26 03:15 jfreechart-1.0.13.jar
-rwxr-x--- 1 root ainet 62103 Mar 26 03:15 commons-pool-1.3.jar
-rwxr-x--- 1 root ainet 121757 Mar 26 03:15 commons-dbcp-1.2.2.jar
-rw-r--r-- 1 ainet ainet 330507 Mar 26 03:50 jcommon-1.0.24.jar
$ grep -R apache\.log4j
Binary file log4j-1.2.15.jar.old matches
The only hit was in the old jar file and yet RJB is complaining about NoClassDefFoundError.