To mitigate the risk of Log4Shell and other Log4j-related vulnerabilities in VCM, we recommend customers run the following script until a complete fix becomes available.

This script performs the following:

  • Deletes JndiLookup.class from log4j-core-* jar files and prevents it from being loaded in the application’s classpath.
  • Disables the JNDI (Java Naming and Directory Interface) message lookup feature by setting LOG4J_FORMAT_MSG_NO_LOOKUPS to true in the vityl-storm* service files.
  • Deletes Chainsaw classes from log4j-1.x and other concerning jar files.
  • Deletes JMSAppender class from log4j-core-2.x and log4j-1.x.
  • Deletes JMSSink class from log4j-1.x.
  • Deletes JDBCAppender class from log4j-1.x.

Perform the following steps to run the script:

  1. Copy script on the system where VCM is installed.
  2. Run script as root user using the command:  ./

A mitigate.log file will be generated in the same directory as the script.

For multiple system deployments, run the script on all systems where VCM components are installed.

Please contact Customer Support with any questions. Provide the mitigate.log file for any issues.

Still have questions? We can help. Submit a case to technical support

Last Modified On:
You don't have the appropriate permissions.
No, open a new Support Case