How to replace/update Apache Log4j 1.2.x with 2.17?

My vulnerability scanner recently flagged an unsupported installation of Apache Log4j in a version of MS SQL we just recently deployed (SQL 2019). It causes two high-priority findings that I must get resolved. It seems to be, specifically, the file log4j-1.2.17.jar that is implicated.

Evidently there is a version 2.17.1 available here: https://logging.apache.org/log4j/2.x/download.html

Unfortunately I don't know how to use it. There's no installer, just a bunch of files. The same site has a section of articles that seem to be geared towards how developers can use Apache2 (which seems to be what this file collection actually is) but I'm not a developer, just a systems manager. I suspect this is not just a drag-and-drop operation, as I'm sure the flagged file gets called by the application somehow.

Unfortunately, in addition to not being a developer I do not have an intimate understanding how how MS SQL 2019 actually functions, so I don't know what would go wrong if I simply swapped out that file with a new one manually (and there's no clear candidate for that anyways).

Is there any guidance for how to migrate between versions of Apache for applications that installs a given version for its own use?

If you don't have the source code of a project and just want to fix the log4j 1.x vulnerabilities you can use reload4j project. It allows to replace the file log4j-1.2.17.jar by the reload4j jar file without other changes.

The reload4j project is a fork of Apache log4j version 1.2.17 in order to fix most pressing security issues. It is intended as a drop-in replacement for log4j version 1.2.17. By drop-in, we mean the replacement of log4j.jar with reload4j.jar in your build without needing to make changes to source code, i.e. to your java files.