How to remove the vulnerable classes from log4j-1.2.x.jar
Post removing the unwanted/vulnerable classes, the security scanner would still continue to show the findings as vulnerable for CVEs. So, the admin has to mark those finding(s) as "False Positive" with the justification mentioning that corresponding vulnerable classes are removed from the log4j-1.2.x.jar file.
Steps to remove the vulnerable classes from the jar file in the standalone configuration:
1. Stop the server
2. Take a backup of the existing log4j-1.2.<x>.jar file
3. Execute the following commands.
jar -xvf log4j-1.2.<x>.jar
del /p log4j-1.2.<x>.jar
rmdir /s "org\apache\log4j\chainsaw"
del /p "org\apache\log4j\net\JMSAppender.class"
del /p "org\apache\log4j\net\SocketServer.class"
del /p "org\apache\log4j\jdbc\JDBCAppender.class"
jar cvf log4j-1.2.<x>.jar *
4. Start the server.