As we are still waiting for patch to be released, here is a workaround provided by VMware which need to be applied to Site Recovery Manager.
Run list:
- Make sure SSH access is enabled (appliance at 8.3 or newer)
- Login to SRM Appliance Manager Interface as admin
- Click ACCESS
- In the SSH pane, click Enable


- Download script : disable_log4j_srm.bash – NOTE: this is script provided by VMware and links directs to VMware repository
- Copy disable_log4j_srm.bash to
/root
vis SCP

NOTE: if you will get error about permission, copy file to /tmp
folder. After SSH and change to root you can copy that file from /tmp
to /root
- Log in to the Site Recovery Manager Virtual Appliance via ssh as the admin user.
- Change to root by typing:
su

- Stop all Java services by running those commands:
systemctl stop dr-client.service
systemctl stop drconfigui.service
systemctl stop dr-configurator.service
- Run this command to make a script executable:
chmod +x /root/disable_log4j_srm.bash

- Run the script:
/root/disable_log4j_srm.bash

NOTE: You might see the following message for each log4j-core-*-sources.jar zip “JndiLookup.class not found in /path/to/log4j-core-2.13.3-sources.jar”. This is expected behavior and safe to ignore, as the workaround is not needed
If you see a warning message, manual verification of the file and its contents are needed.
- Restart all Java services:
systemctl start dr-client.service
systemctl start drconfigui.service
systemctl start dr-configurator.service
- Verify that the vulnerable jars are mitigated successfully:
grep -R 'JndiLookup.class' /opt/vmware/
grep -R 'JndiLookup.class' /var/opt/apache-tomcat/
NOTE Those commands should not to return any results. If it does please return to step 1 and re-run the workaround.

- Verify the environmental variables have been properly set (all in one line):
for pid in $( ps ax | grep java | grep -v grep | awk '{print $1}' ); do cat /proc/$pid/environ |tr '\0' '\n' | grep "LOG4J_FORMAT_MSG_NO_LOOKUPS"; done
NOTE: expected output multiple lines of “LOG4J_FORMAT_MSG_NO_LOOKUPS=true”

Source: https://kb.vmware.com/s/article/87123
Please like and share to spread the knowledge in the community.
If you want to chat with me please use Twitter: @AngrySysOps
Visit my FB page: https://www.facebook.com/AngrySysOps
Read my blog: https://angrysysops.com
Subscribe to my channel : https://www.youtube.com/channel/UCRTcKGl0neismSRpDMK_M4A