The following log4j 2.x jar files may be found on a BPM Enterprise (BPME) 4.3.0 / 4.3.1 installation - 

log4j-core-2.8.2.jar
log4j-api-2.8.2.jar

These jars were incorrectly included in the appdev component. These jar files are not used/loaded. The steps in the resolution section may be followed to remove these log4j 2.x jars, if needed. 

This article provides separate instructions for UNIX based (Section A) and Windows based (Section B) environments.

A. For UNIX-based environments

Please follow the below steps on each server to remove these log4j 2.x jar files - 

1. Create 2 local directories - backup and work - outside of BPME filesystem (TIBCO_HOME/CONFIG_HOME/Shared_Dir) using the same operating system user. 

For example - /home/bpm/work & /home/bpm/backup

The backup directory will store the files that will be modified by the script. 
The work directory will store the script used to perform the delete.

Note: Please do not delete these directories until the script has been verified as successful. 

2. Copy the attached script updateAppdevWarBundle.sh into the work directory (created in Step A1). This script runs commands like zip, unzip, touch. Please make sure these are available on the server. 

3. In updateAppdevWarBundle.sh - set the TIBCO_HOME (line #58), CONFIG_HOME (line #62), SHARED_ADMIN_FOLDER (line #70) and BACKUP_FOLDER (line #74) as per the environment. 
 
4. Find the appdev war and log4j 2.x jar files under the BPME filesystem.

For example - 
find /opt/tibco/bpm_home /opt/tibco/bpm_config_home /bpm_share /amx_share -name appdev-war-1.3.*-SNAPSHOT.war -printf '"%p"\n' | xargs cksum
find /opt/tibco/bpm_home /opt/tibco/bpm_config_home /bpm_share /amx_share -name log4j-*-2.8.2.jar -printf '"%p"\n' | xargs cksum

5. Stop all tibcohost processes under a CONFIG_HOME
tibcohost stop -wait true

6. Execute the script which was setup in step # A3

7. Repeat step # A4 again. If the script is successful, the expected result is that there are no occurrences of log4j 2.x jars and the appdev war file is updated on all locations.

8. Restart each tibcohost process with the -clearCache option 
tibcohost spawn -clearCache

9. Repeat step #4 again and confirm the result is the same as step # A7

10. Verify the appdev component has restarted successfully. If you use appdev, please perform a basic sanity test. 

B. For Windows-based environments  - 

Note: Due to the windows path length restriction, the bat script assumes that the appdev wars and log4j 2.8.2 jars will not be hiding too deep (file path length > 260 chars) in the File System hierarchy. If the file path is too deep, then the script will fail. 

1. Install 7-zip (https://www.7-zip.org/) and add <7zip_home> to the system PATH. This directory should contain the executable 7z.  

For example - After installing, the directory "C:\Program Files\7-Zip" will contain the executable 7z

2. Create 2 local directories - backup and work - outside of BPME filesystem (TIBCO_HOME/CONFIG_HOME/Shared_Dir) using the same operating system user. 

For example - C:\Users\bpm\work & C:\Users\bpm\backup

The backup directory will store the files that will be modified by the script. 
The work directory will store the script used to perform the delete.

Note: Please do not delete these directories until the script has been verified as successful. 

3. Copy the attached script updateAppdevWarBundle.bat into the work directory (created in Step B2). 

4. In updateAppdevWarBundle.bat - set the TIBCO_HOME (line #61), CONFIG_HOME (line #65), SHARED_ADMIN_FOLDER (line #72) and BACKUP_FOLDER (line #76) as per the environment. 
 
5. Find the log4j 2.x jar files under the BPME filesystem.

For example - 
2>NUL dir "C:\tibco\bpm_home" "C:\tibco\bpm_config_home" "X:\bpm_share" /s | findstr log4j-core-2.8.2.jar
2>NUL dir "C:\tibco\bpm_home" "C:\tibco\bpm_config_home" "X:\bpm_share" /s | findstr log4j-api-2.8.2.jar

Note: If log4j-core-2.8.2.jar does not exist in your environment, then please contact TIBCO Support. 

6. Stop all tibcohost processes under a CONFIG_HOME
tibcohost stop -wait true

7. Open a command prompt - "Run as administrator" and execute the script which was setup in step #B4.

8. Repeat step #B5 again. If the script is successful, the expected result is that there are no occurrences of log4j 2.x jars and the appdev war file is updated on all locations.

9. Restart each tibcohost process with the -clearCache option 
tibcohost spawn -clearCache

10. Repeat step #B5 again and confirm the result is the same as step #B8

11. Verify the appdev component has restarted successfully. If you use appdev, please perform a basic sanity test.