Context:

Log4j released a significant update in version 2.15 to address a major security vulnerability found (see here for more detail). An additional vulnerability was identified & resolved in log4j version 2.16. 

The latest version for customers to upgrade their HCP secondary gateway & private clouds is HCP 3.18.3 which contains log4j 2.16.

Issue:

Some customers are unable to upgrade HCP for multiple reasons but they still want to be protected against the log4j vulnerability.

Resolution:

Customers should add the below line into the config file: /opt/hcp/conf/wrapper-hcp-server.conf

wrapper.java.additional.14=-Dlog4j2.formatMsgNoLookups=true

Example:

HCP service restart is required after the change has been applied:

sudo systemctl restart hcp-server