ALM Octane which is web based application life cycle management tool which is used to track the requirements and bugs have been also affected by this vulnerability. The products affected as ALM 15.5 and above, ALM Octane (all versions), Quality Insight Server (QIS) > 16.0.0 and Global Search! As of now for these products there has been no patches but only mitigations have been announced by the Microfocus team. The Mitigation Pl
Step 1: Locate the wapper.conf file in the ALM/Octane deployment location (It would be under ALM\wrapper) for ALM and for Octane it would be under (Octane/wrapper)
Step 2: Add below configuration in wrapper.conf under wrapper directory
wrapper.java.additional.80=-Dlog4j2.formatMsgNoLookups=true
Step 3: If the number 80 is already used, then use another number as the numbers must be unique in the wrapper.conf. It can be added anywhere in the wrapper.conf file
Step 4: After saving the file, restart the Octane/ALM server. if there are multiple nodes restart the same!
The above steps are only for ALM/Octane deployment and not for GlobalSearch/QIS for which hotfixes patches would be made available soon
Microfocus has released a KB on the same – https://portal.microfocus.com/s/article/KM000003002
Sample wrapper file :