topic Re: SSMC and log4j vulnerability in HPE 3PAR StoreServ Storage

SSMC and log4j vulnerability

aireynol — Tue, 14 Dec 2021 13:03:41 GMT

SSMC 3.8.1 is vulnerable to log4j (cve-2021-44228), if you have any public facing instances I would suggest shutting them down while we wait for a bulletin.

Also myenterpriselicense.hpe.com has been down all morning so can't get 3.8.2 to test against that.

Edit: site is back up

Edit1: 3.8.2 is still vulnerable in my testing. I have also heard reports Service Processor is vulnerable although I have not been able to confirm with testing.

Query: SSMC and log4j vulnerability

support_s — Mon, 13 Dec 2021 15:12:55 GMT

System recommended content:

1. Notice: Apache Software Log4j - Security Vulnerability CVE-2021-44228

2. Servlets: log4j synchronized logging issues from multiple JVM processes

If the above information is helpful, then please click on "Thumbs Up/Kudo" icon.

Thank you for being a HPE community member.

Re: SSMC and log4j vulnerability

QuintonH — Tue, 14 Dec 2021 01:35:36 GMT

The Software Depot site seems to have been down for 24 hours - Have tryied multiple times in this time - Getting errors like:

Internal Server Error - Read

The server encountered an internal error or misconfiguration and was unable to complete your request.

Reference #3.9667cd17.1639443263.1103c702

Can you advise when this site is expected to be back up and running?

Re: SSMC and log4j vulnerability

sbhat09 — Tue, 14 Dec 2021 03:58:59 GMT

The link to download SSMC is still down. I will let you know if I get any updates or the link starts working.

Regards,

Srinivas Bhat

Re: SSMC and log4j vulnerability

cesarpegado — Tue, 14 Dec 2021 09:21:25 GMT

I can get the HPE website, but i all i seem to find is release notes for 3.8.2 but i can't find the actual download

Re: SSMC and log4j vulnerability

Jyothiyash — Tue, 14 Dec 2021 09:49:01 GMT

Latest release notes are not pdf downloads. Release notes for SSMC v3.8.2 is available only for online reference.
You can refer this URL for release notes information https://myenterpriselicense.hpe.com/cwp-ui/free-software/SSMC_CONSOLE
Hyperlinks are available for additional details as well.

Regards

Jyothi (HPE Employee)

Re: SSMC and log4j vulnerability

cesarpegado — Tue, 14 Dec 2021 10:01:01 GMT

Thank you, i can download it from your link

Re: SSMC and log4j vulnerability

ArjanSchepers — Tue, 14 Dec 2021 10:09:05 GMT

So I was able to download 3.8.2. But I cannot find anything if the log4j exploit is fixed or not. Anyone with more information care to chip in?

Re: SSMC and log4j vulnerability

sbhat09 — Tue, 14 Dec 2021 13:07:22 GMT

Hello @ArjanSchepers,

The release notes (as on 9th Dec 2021) say SSMC v3.8.2 includes "important security fixes that strengthen the security posture of SSMC appliance. HPE strongly recommends that you upgrade your SSMC appliance to this version."

Later (As on 13th Dec 2021) the below document confirms that HPE 3PAR is not affected by 'Log4j' vulnarability.

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00120086en_us

There is no official confirmation about whether the vulnerability is fixed in the SSMC v3.8.2.

I will keep you posted if I can get more details.

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.

Re: SSMC and log4j vulnerability

Raz2 — Tue, 14 Dec 2021 11:02:11 GMT

Hi WE have some old G6 blades and chassis We wanted to check if these are affected ?

Thanks

Re: SSMC and log4j vulnerability

sbhat09 — Tue, 14 Dec 2021 11:13:10 GMT

Hello @Raz2,

Here is the list of HPE Products that are NOT affected by the vulnerability (after recommended upgrade). HPE is working on to safeguard rest of the actively supported products. Please refer the list below:

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00120086en_us

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.

Re: Query: SSMC and log4j vulnerability

monardo — Tue, 14 Dec 2021 11:32:37 GMT

Dear HPE, so the SSMC version 3.7.2 can be vulnerable ?

thanks a lot

Monardo

Re: Query: SSMC and log4j vulnerability

sbhat09 — Tue, 14 Dec 2021 12:44:21 GMT

Hello @monardo,

This vulnerability was just found last week (9th December 2021 I think). SSMC 3.7.2 is the older release.

As per my news sources, in it's standard form, I don't think SSMC v3.7.2 is vulnerable in a secured network. However, HPE has not confirmed that v3.7.2 is safeguarded from the vulnerability as well. Vulnerability also depends on your network security, other cloud and web application, APIs and other plugins.

I recommend you to get that confirmed by your IT security team.

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.

Re: SSMC and log4j vulnerability

ArjanSchepers — Tue, 14 Dec 2021 12:19:36 GMT

Yes, please keep us posted. "Looks like the vulnerability is fixed" is not good enough for us, we need to be sure. In the meantime, we shut down the SSMC appliance.

Re: SSMC and log4j vulnerability

sbhat09 — Tue, 14 Dec 2021 12:54:42 GMT

Hello @ArjanSchepers,

This notice (URL below) states that 3PAR, Primera, alletra and several other HPE systems are safe from the vulnerability. But doesn't explicitly confirms about the SSMC. I will post it here when I can get that confirmation.

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00120086en_us

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.

Re: SSMC and log4j vulnerability

aireynol — Tue, 14 Dec 2021 13:03:03 GMT

3.8.2 is still vulnerable in my testing. I have also heard reports Service Processor is vulnerable although I have not been able to confirm with testing.

Re: SSMC and log4j vulnerability

monardo — Tue, 14 Dec 2021 13:50:13 GMT

Yes, I saw this document and it is not totally complete...

Re: SSMC and log4j vulnerability

sbhat09 — Tue, 14 Dec 2021 14:06:58 GMT

Got an update that SSMC v3.8.2 is not confirmed as safe against the 'log4j' vulnerability.

The fix for the vulnerability is in progress. But there s a workaround available as well. Please contact HPE support if waiting for the fix is not an option for you.

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.

Re: SSMC and log4j vulnerability

fnbit — Tue, 14 Dec 2021 18:11:35 GMT

From what I can tell, SSMC 3.8.2 is patching a completely different CVE (CVE-2021-29214)...I think its release timing of December 9th is what's confusing. I would imagine that 3.8.2 is stil vulnerable to CVE-2021-44228.

CVE-2021-29214

CVE-2021-44228

Re: SSMC and log4j vulnerability

ArjanSchepers — Wed, 15 Dec 2021 11:47:22 GMT

Can you please post the workaround? I'm currently juggling around with at least 5 affected products in my organization, I do not have time to contact each supplier individually. We need a public facing website with workarounds, patches or other means of mitigation. Thank you @sbhat09