Workaround for CVE-2025-68161

Resolving The Problem

Due to the way log4j is set up, CVE-2025-68161 cannot be exploited on any instance of the VM Manager Tool. However, to prevent security scans from reporting the potential vulnerability, you can substitute two .jar files in the VM Manager Tool. 

1. Download the latest version of the log4j binaries from https://downloads.apache.org/logging/log4j/2.25.3/.
2. Log in to the computer where the VM Manager Tool is installed.
3. To stop the VM Manager Tool, perform the following steps:
   • For central, distributed, and disconnected VM Manager Tool, run the following command:
     • Linux: ./vmman.sh -stop
     • Windows: vmman.bat -stop
   • For the local VM Manger Tool, stop the License Metric Tool server. For more information, see the product documentation.
4. Substitute the following two .jar files with the latest versions that you downloaded. The libraries are in the VM Manager Tool installation directory in the lib subfolder. The default installation directory depends on the type of the VM Manager Tool that you are using. For more information, see the product documentation.
   • log4j-core-2.17.1.jar
   • log4j-api-2.17.1.jar
5. To start the VM Manager Tool, perform the following steps:
   • For central, distributed, and disconnected VM Manager Tool, run the following command:
     • Linux: ./vmman.sh -run
     • Windows: vmman.bat -run
   • For the local VM Manger Tool, start the License Metric Tool server. For more information, see the product documentation. 

A new version of log4j is planned to be delivered with License Metric Tool application update 9.2.43 at the end of March 2026. Plans are subject to change.