While testing for vulnerable versions of the Apache log4j libraries, some are found in the REPLACED folder, even after patching for the vulnerability.

Release : 17.3

Component :

Files in the REPLACED folder structure are merely backups of those replaced during the patch install.

They're not in the executable library path, so shouldn't cause a problem. However, if you wish to zip up / backup / delete them to stop the scanner setting an alarm of, you're welcome to do so.