topic Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed in HPE 3PAR StoreServ Storage

Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

sbhat09 — Mon, 20 Dec 2021 07:55:10 GMT

Hello all,

The latest SSMC update v3.8.2.1 is now available for download.

This version includes important security fixes and adheres to NIST SP 800-53 guidelines. It addresses the log4j vulnerability (CVE-2021-44228) as well.

https://myenterpriselicense.hpe.com/cwp-ui/free-software/SSMC_CONSOLE

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.

Re: Latest SSMC update v3.8.2.1 is available for download

aireynol — Sat, 18 Dec 2021 16:13:58 GMT

Thanks for the quick turnaround. Do you have an ETA for Service Processor 5.x patch?

Re: Latest SSMC update v3.8.2.1 is available for download

sbhat09 — Mon, 20 Dec 2021 08:54:00 GMT

Hello @aireynol,

I don't have any updates yet. Are you finding it vulnerable to log4j in your tests?

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.

Re: Latest SSMC update v3.8.2.1 is available for download

aireynol — Mon, 20 Dec 2021 09:37:44 GMT

I have not been able to independently confirm it is vulnerable however it is listed a vulnerable in the security bulletin so I have shut mine down for now.

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

LewisP — Mon, 20 Dec 2021 13:53:30 GMT

Thank you for letting us know! But I don't see any of the .star upgrade packages on that page. Am I just missing them as don't seem to be able to find any .star packages for 3.8 or above, just the ISO files. I am currently on 3.7.2 and it wants the .star upgrade files to do an inplace upgrade.

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

Bertram Stoeckler — Mon, 20 Dec 2021 14:06:12 GMT

The *.star file is in the iso-file.

If you are on 3.7.x, then you will need to.

0. Create a snapshot on your ESX/vmware/hyperV environment as a backup.

1. download the 3.8.0 iso-file

2. mount the 3.8.0 iso-file on the PC.

3. There you will find the 3.8.0*.star file that you can pick up for the upgrade.

4. download the 3.8.2.1 iso-file

5. mount the 3.8.2.1 iso-file

6. pickup the 3.8.2.1.* star file and do the upgrade.

You may also directly go to 3.8.2.1. But I have not tested this.

Hope that helps.

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

LewisP — Mon, 20 Dec 2021 14:11:51 GMT

Thank you Bertram! Definitely too early on a Monday and need more coffee or I might have remembered that.

Will add that to the notes I have for my team because I left that step out.

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

Bertram Stoeckler — Mon, 20 Dec 2021 16:26:20 GMT

A general comment about SSMC upgrade from older versions. Version 3.4.x and 3.5.x (not the windows 3.3.1 version !!)

First: You can find the version of your SSMC appliance in the right-bottom corner of the SSMC-appliance page.

If your current version is 3.6.x or above, then you can stop reading this post.

If your current version is 3.4.x or 3.5.x then you won´t be able to directly upgrade to version 3.8.2.1.

You either need to first upgrade to version 3.6, or you need to do a new installation of SSMC 3.8.

I would recommend that you do a new installation of SSMC 3.8.0 followed by an upgrade to SSMC 3.8.2.1. A new installation usually does not last more than 30 minutes. Also note that it is possible to run 2 SSMC-instances in parallel, So you can let the old-version running, while the new one is setup. That way you can test the new version. The old instance should then be disconnected as any additional instance adds load the connected arrays.

The upgrade limitation is also documented in the administration guide:

While upgrading from version 3.4.0.x, SSMC does not display any minimum version error message but generally
fails. Hewlett Packard Enterprise recommends you to upgrade to 3.6.0.0 version before upgrading to later
versions. To upgrade to HPE SSMC 3.8.0.0, you must have a minimum version of HPE SSMC 3.6.0.0.

If you have a complex setup (many arrays and many self-created reports) and you prefer to upgrade to SSMC 3.8.2.1 via the interim version of 3.6, then you should open a support case, as the 3.6 version is not available on the HPE-download center.

For those who decide to do this, or who have an 3.6.x version available i also want to emphasize on an important change that came with SSMC 3.6, also mentioned in the administration guide:

Unified Login credentials for Administrative Access from SSMC 3.6 onwards
From HPE SSMC 3.6 release onwards, the web administrator account is merged with the appliance administrator
account. As a result, there is a single locally defined unified application administrator account for all SSMC.
If you are upgrading from a version prior to HPE SSMC 3.6 release, then the web administrator credentials, if
defined already, expires and you have to use ssmcadmin (same password that you use for appliance access)
to log in to the web GUI as well.
The single local account ( ssmcadmin ) remains as the only emergency account for all SSMC

Why this is important:

We had a couple of customers who could not remember the ssmcadmin password. They never, or only once have logged in to the SSMC-TUI and then forgot the password, as with SSMC 3.4.x and SSMc 3.5.x the Web-based-administrator login, the one you use when adding an array, or when upgrading SSMC is a different user, and the TUI access once the SSMC is completly setup, is never used.

So what happened was this:

1. customer logged in via the GUI-admin user and started the upgrade to SSMC 3.6

2. SSMC 3.6 during the upgrade removes the GUI-admin account and merges it with the TUI-ssmcadmin acount.

3. Since the customer forgot about the TUI-ssmcadmin password, they were not able to upgrade further or to add any array. Resetting the password at that point is NOT possible as you need the TUI-ssmcadmin credentials to do this.

HPE-support is also not able to reset the password because there is no root-access on the appliance.

To prevent this from happening you should do this:

Prior to the upgrade from version 3.4.x or 3.5.x to the interim version 3.6.x: Check if you can ssh-login as the "ssmcadmin" user to the TUI . Keep the password in mind as you will need it to do the further updates via the ssmcadmin user.

(One addtional note: Starting with SSMC 3.6, the appliance allows the configuration of a password-recovery via email)

I hope that this was not too confusing.

As i wrote, instead of an upgrade from 3.4.x or 3.5.x, you can do a new installation of 3.8.0 plus an upgrade to 3.8.2.1.

Re: Latest SSMC update v3.8.2.1 is available for download

Superscouser — Wed, 23 Apr 2025 11:21:55 GMT

Looks like SP 5.0.9.2 will fix it

~~https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00002915en_us~~ Moderator [above link is no longer valid, please visit https://support.hpe.com/connect/s/ to find the latest info ]

Fixes

The following issue is addressed in 5.0.9.2 release:

Issue ID:

350855

Issue summary:

CVE-2021-44228 and CVE-2021-45046 - Log4j and Log4Shell Security Vulnerabilities.

Affected platforms:

Only SP.

Affected software versions:

All versions from 5.0 onwards.

Issue description:

Security fixes for CVE-2021-44228 (Log4Shell) and CVE-2021-45046 are available in this patch release. Hewlett Packard Enterprise strongly recommends you to upgrade HPE Service Processor to 5.0.9.2 patch release as early as possible.

Conditions of occurrence:

N/A

Impact:

High

Customer circumvention:

Upgrade to patch 5.0.9.2Customer recovery step: N/A

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

goslackware — Mon, 20 Dec 2021 22:14:57 GMT

Here's SSMC v3.6: https://myenterpriselicense.hpe.com/cwp-ui/software-update-details?productNumber=HPE_STORAGE_SSMC&version=3.6&impersonationFlow=searchProductByFamilyFlow
ISO: HPE_SSMC_3.6_SW_QR482-11420.iso

You'll need to have contract access to it.

However, I think starting fresh on SSMC 3.8 will be fine.

Re: Latest SSMC update v3.8.2.1 is available for download

Bertram Stoeckler — Tue, 21 Dec 2021 12:44:51 GMT

Please check again the document you referred to, as it got updated, yesterday.

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us

In that document search for "SSMC" and follow the SSMC security bulletin.

You will find this:

===

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HPE StoreServ Management Console (SSMC) -Prior to v3.8.2.1

===

This is the official statement that all SSMC versions prior to version 3.8.2.1 are impacted.

Version 3.8.2.1 is therefor the fix.

Please let me know if you have any further questions.

Re: Latest SSMC update v3.8.2.1 is available for download

SebSei — Tue, 28 Dec 2021 09:52:05 GMT

Which specific version of log4j is included in the package 8.2.3.1? The linked security bulletin just mentions version 2.16.0, but the generel recommandation is to update to at least 2.17.0

Best regards Sebastian

Re: Latest SSMC update v3.8.2.1 is available for download

SebSei — Tue, 28 Dec 2021 09:52:38 GMT

*package 3.8.2.1

Re: Latest SSMC update v3.8.2.1 is available for download

sbhat09 — Tue, 28 Dec 2021 11:01:21 GMT

Hello @SebSei,

There is no update yet about 2.17.0. The document will be revised when there is an update. I request @Bertram Stoeckler to add if you have any comments on this.

Regards,

Srinivas Bhat

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

syntaxmax — Tue, 28 Dec 2021 23:49:02 GMT

is there a version of the windows software the HPE 3PAR Stor Serv management COnsole. This software seems to come up as having this vulnerability as well. Where does one get the update for this?

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

SebSei — Wed, 29 Dec 2021 09:20:14 GMT

You can use the update option via GUI. Its the same package you can find in the .ISO.

Best regards Sebastian

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

Sys Admin at SASREF — Thu, 30 Dec 2021 06:04:01 GMT

Hi,

Thank you for notifying, KUDOS!

I just wanna know that, I am using 3.3.1 ssmc software, can I upgrade it to v3.8.2.1 or does it needs an individual VM.

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

sbhat09 — Fri, 31 Dec 2021 05:03:33 GMT

Hello @Sys Admin at SASREF,

From v3.3.1 to v3.8.2.1 is not possible. Upto 3.3.x SSMC used to be an application that you install on Windows or Linux OS. v3.4 onwards, it is a 'ready to deploy' appliance that includes OS in the package. So, it needs an individual VM.

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.

Re: Latest SSMC update v3.8.2.1 is available for download

Bertram Stoeckler — Mon, 03 Jan 2022 14:30:16 GMT

log4j 2.17.0 (Java fixes CVE-2021-45105

SSMC 3.8.2.1 has log4j version "2.16", but is NOT vulnerable to the issues reported in CVE-2021-45105.

SSMC does NOT use the feature of a "non-default Pattern Layout with a Context Lookup".

SSMC 3.8.2.1 therefore fixes all currently reported/known log4j vulnerabilities.

Hope that helps.

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

Paolo_c — Mon, 10 Jan 2022 17:09:10 GMT

Good evening,

For customers still running on SSMC v3.3.1.25068, would you also advise doing a new installation to 3.8 , followed by upgrade to SSMC 3.8.2.1. so that we can run tests with the 2 SSMC instances in parallel ? Also with regards to the ssmcadmin user . Is this an account associated with 3.4.x or higher as not familiar with that. We have a 3paradm user (which has full admin rights, and which i use for presenting storage etc) and also have a 3paradm1 account for logging on as Administrator console. Also am I right in thinking that v3.8 and above can only be installed on a VM ? (our current 3.3.1 SSMC runs under Windows Server 2016.