Visibroker uses log4j 1.x when the logs are enabled to trace CORBA communication.

If you do not want it to be exposed to vulnerability, you can remove log4j 1.x jar by keeping the visibroker logging in disabled state.
Note: Visibroker logging is disabled by default.

SpectroSERVER:
--------------

Linux:
--------
1. Login as root on the SpectroSERVER machine  (you MUST be logged as root to stop the Spectrum Process Daemon process) 

2. Stop processd (which also stops SpectroServer and Archive Manager).

3. Make sure Visibroker logs are disabled( vbroker.log.enable=false ) in the following files:
   $SPECROOT/.jcorbarc
   $SPECROOT/.corbarc
   $SPECROOT/.jcorbrc
   $SPECROOT/.corbrc

4. Remove the following jar file.
   $SPECROOT/lib/log4j.jar
   
5. Start processd

6. Login as spectrum install owner account on the SpectroSERVER machine and start the spectroServer.

Windows:
--------
1. Login as Administrator on the SpectroSERVER machine.

2. Stop processd (which also stops SpectroServer and Archive Manager).

3. Make sure Visibroker logs are disabled ( vbroker.log.enable=false ) in the following files:

   $SPECROOT\.jcorbarc
   $SPECROOT\.corbarc
   $SPECROOT\.jcorbrc
   $SPECROOT\.corbrc
   
4. Remove the following jar file.
   $SPECROOT\lib\log4j.jar
   
5. Start processd

6. Login as spectrum install owner account and start the spectroServer.

OneClick Server: 
-----------------
From 21.2.8, log4j 1.x is not part of Oneclick Server and Visibroker logs are disabled ( vbroker.log.enable=false ) by default in the file $SPECROOT/tomcat/webapps/spectrum/META-INF/context.xml.