To mitigate the risk of Log4Shell and other Log4j-related vulnerabilities in VCM, we recommend customers run the following mitigate.sh script until a complete fix becomes available.
This script performs the following:
- Deletes JndiLookup.class from log4j-core-* jar files and prevents it from being loaded in the application’s classpath.
- Disables the JNDI (Java Naming and Directory Interface) message lookup feature by setting LOG4J_FORMAT_MSG_NO_LOOKUPS to true in the vityl-storm* service files.
- Deletes Chainsaw classes from log4j-1.x and other concerning jar files.
- Deletes JMSAppender class from log4j-core-2.x and log4j-1.x.
- Deletes JMSSink class from log4j-1.x.
- Deletes JDBCAppender class from log4j-1.x.
Perform the following steps to run the script:
- Copy mitigate.sh script on the system where VCM is installed.
- Run script as root user using the command: ./mitigate.sh
A mitigate.log file will be generated in the same directory as the script.
For multiple system deployments, run the script on all systems where VCM components are installed.
Please contact Customer Support with any questions. Provide the mitigate.log file for any issues.
Last Modified On:
No, open a new Support Case
