I have a user who insists on using a piece of software that relies on Java, but it hasn't been updated for over a decade. The user claims it works fine on their home machine, but I've had trouble getting it to run in our work environment. While investigating, I found two files with 'log4j' in their names, and I'm concerned about potential vulnerabilities. In our setting, we've configured the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true, which might be blocking something the software needs. Could this variable explain why the software doesn't work at work but does at home? If I test by removing the variable, would it pose a security risk? I've run virus scans on the software, but nothing came up. I'm stuck between accommodating the user and ensuring our system's safety. What are the risks associated with running this old software in 2026?
2 Answers
Is this really worth jeopardizing your job? Have you discussed this with your team? If there's no solid business justification for using this old software, you should definitely consult with your security team or higher-ups. You're not the one who should be accepting that risk for the company.
Honestly, it’s not worth the trouble. You should inform the user about the log4j vulnerability and how your company's security measures would likely prevent the software from running. There are probably more modern, supported options that could achieve what they're after. Just steer them towards an alternative!
Right? IT can provide insights and guidance, but ultimately management should make the decision on whether to take that risk.