Important Note: Upgrades documented in the aforementioned advisory should be applied to remediate CVE-2021-44228 when available. 

Workaround

Based on the guidance from the Apache log4j security vulnerability disclosure, there are no comprehensive mitigations to CVE-2021-44228 for Tanzu Scheduler versions prior to 1.6.1. We strongly recommend upgrading to Tanzu Scheduler 1.6.1 to ensure that CVE-2021-44228 is properly remediated.If you have already applied the partial mitigation by setting environment variable "LOG4J_FORMAT_MSG_NO_LOOKUPS" , then we do not recommend removing the change or rolling it back.  Tanzu Scheduler is likely less vulnerable with this partial mitigation in place, however we do recommend upgrading as soon as possible.

To verify if the workaround for CVE-2021-44228 was previously applied to Tanzu Scheduler, perform the following steps:

1. SSH into the scheduler application:

$ cf ssh scheduler
...

2. Verify the “LOG4J_FORMAT_MSG_NO_LOOKUPS” environment variable is set correctly in the scheduler application’s container:

$ env | grep LOG4J
LOG4J_FORMAT_MSG_NO_LOOKUPS=true