We have 2 VTM issues showing up on our scans for our Introscope servers.

We are currently running on APM10.7.0HF84

1)  /opt/Introscope/APM/APMSqlServer/repo/log4j_1.2.17-cloudera1-nonet.jar

Do you have a new log4j that can be downloaded?

2) Multiple Java VTM issues

Do you have a new version of Java that can be used with Introscope?

Release :

1)      It is recommended to remove APMSqlServer instead of patching the log4j.

Per

• Broadcom Engineering has determined that the external APMSQL Server bundle available as an additional download for APM 10.5 and 10.7 uses an affected version of the Log4j 1.2 and it's use should be discontinued.  To replace this functionality, please use the built-in APM RestAPI instead.  Please refer to the APM documentation usage of the APM RestAPI to remotely query/download APM metrics over http/https connections."

2)     You can install the current Java (do lax updates as needed)

See KB

https://knowledge.broadcom.com/external/article/237061/have-to-upgrade-java-on-em.html

You can install the upgraded JVM/JDK at any location and then modify the Introscope_Enterprise_Manager.lax and Introscope_WebView.lax for JVM path. 

You can also install the JVM under APM-HOME/jre (this the default location of the JVM). In this case, you first rename the APM-HOME/jre and then install the new JVM/JDK there.
If you select this procedure, then you do not have to modify the Introscope_Enterprise_Manager.lax and Introscope_WebView.lax as the path remains the same.

APM will be using openJDK. 
https://knowledge.broadcom.com/external/article?articleId=135805

Presently, customers have two options.

1- Can swap with openJDK.
2- Can install vulnerability mitigation(upgrades) for Oracle Java (Review KB: https://knowledge.broadcom.com/external/article?articleId=132318)

1- Can swap with openJDK. 
Procedure:

Manual steps to introduce AdoptOpenJDK 

1. Stop Enterprise Manager:
cd <EM_HOME>/bin
./EMCtrl.sh stop
2. Stop WebView:
cd <EM_HOME>/bin
./WVCtrl.sh stop
3. Copy the contents of the jre folder in the <EM_HOME> directory to a new folder jreBackup
4. Delete all the contents inside the jre folder in the <EM_HOME> directory
5. Download the JRE of AdoptOpenJDK and put its contents to the jre folder in the <EM_HOME> directory
https://adoptopenjdk.net/archive.html?variant=openjdk8&jvmVariant=hotspot
6. Start Enterprise Manager and WebView:
cd <EM_HOME>/bin
./EMCtrl.sh start
cd <EM_HOME>/bin
./WVCtrl.sh start
7. Verify that AdoptOpenJDK is being used by checking the logs:
In IntroscopeEnterpriseManager.log you should see something like the following:
[INFO] [main] [Manager] Introscope Enterprise Manager Release 10.7.0.220 (Build 994002)
[INFO] [main] [Manager] Using Java VM version "OpenJDK 64-Bit Server VM 1.8.0_222" from AdoptOpenJDK
In IntroscopeWebView.log you should see something like the following:
[INFO] [WebView] Introscope WebView Release 10.7.0.220 (Build 994002)
[INFO] [WebView] Using Java VM version "OpenJDK 64-Bit Server VM 1.8.0_222" from AdoptOpenJDK
8. If you have installed Workstation separately, follow the same process as above:
make sure Workstation is not running
create a backup of its jre folder
copy the contents of the JRE of AdoptOpenJDK into the jre folder of Workstation
start workstation
9. If accessing Workstation through Webstart and if using AdoptOpenJDK in the machine where you are accessing Workstation, then the Workstation will fail to start.

*You must apply above steps to each of the APM components (for example MoM, Collectors, webview, workstation etc...)

Note: Broadcom is not permitted to distribute any higher versions of Oracle Java. However, if you wish to swap the version of Java within your own installation to a higher update of Oracle or AdoptOpenJDK 1.8, Broadcom . Then, Technical support will support it.