ASM (App Synthetic Monitor)
The ASM Engineering team has confirmed that ASM 10.7.6 core servers (dashboard, API, reports, alerting, monitor scheduler) are not vulnerable.
The team has also investigated and determined that a few components of the public and on-premise monitoring stations contain the log4j versions that may be exposed to the vulnerability.
The team has prepared a hotfix release 10.7.8 to upgrade log4j to version 2.16.0 which is not vulnerable. This will be deployed on December 16.
To mitigate the exposure to the vulnerability on on-premise monitoring stations, upgrade them to version 10.7.8 once it is released.
Alternatively, exposure can be mitigated by running the following commands:
zip -q -d /opt/asm/jmeter/4.0/lib/log4j-core-2.10.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
monit restart jmeter4-agent
zip -q -d /opt/asm/jmeter/2.13/lib/log4j-core-2.10.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
monit restart jmeter2-agent
Customers with OPMS will have to run the installer after the release for the fix to take effect.