For further information on the vulnerability, you can follow the Apache Log4j site . See the resolution below to eliminate the vulnerability in SBM. This will be necessary for all versions of SBM including SBM 12.
Doing so will break the installation. Even though VM 8.6.3 is not affected by known vulnerabilities involving log4j 1.2.17, Micro Focus will replace that code in the upcoming VM 8.6.3.3 patch, expected to be released soon. If you are running a Version Manager release prior to 8.6.3 and are concerned about security vulnerabilities , please upgrade to PVCS VM 8.6.3 (or newer) and install the latest patch available for that release.
The full Micro Focus statement on the Log 4 j Vulnerability is available on the Product Security Response Center . Deployment Automation uses a version of log4j which is lower than 2.0 and therefore is not affected by this vulnerability.
The full Micro Focus statement on the Log 4 j Vulnerability is available on the Product Security Response Center . To mitigate this vulnerability in the SBM platform, follow the steps provided in KB S143605 . For the latest mitigation guidance from Apache, please refer to https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228
ALM Solution Connector 6.2.5 has been released and includes Log 4 j version 2.17.1. The release can be downloaded from the SLD Download Center . Be sure to install the new Micro Focus Common Tomcat and not just the war files.
The JBoss server.log size and rotation can be customised in the file <JBoss_HOME>\server\default\conf\jboss- log 4 j .xml (e.g. for a default SBM install it would be C:\Program Files\Serena\SBM\Common\jboss405\server\default\conf\jboss- log 4 j .xml)
