While testing for vulnerable versions of the Apache log4j libraries, some are found in the REPLACED folder, even after patching for the vulnerability.
Additionally, vulnerable files may be found in the temp folder
Release : 17.3 and higher
Component :
Files in the REPLACED folder structure are merely backups of those replaced during the patch install.
They're not in the executable library path, so shouldn't cause a problem. However, if you wish to zip up / backup / delete them to stop the scanner setting an alarm of, you're welcome to do so.
Files in the temp folder are leftover from installation and can be deleted without issue