https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156652#M6741 <BLOCKQUOTE><P><SPAN>Just a quick question, you said iLO doesn't use Log4j, But i was under the impression that HPE are currently making a new iLO version to fix this, am I wrong?</SPAN></P></BLOCKQUOTE><P>I'm not sure where you recieved that information from, but iLO is <STRONG>not</STRONG> impacted by CVE-2021-44228.&nbsp; We document major vulnerabilities <A href="https://www.hpe.com/us/en/services/security-vulnerability.html" target="_blank" rel="noopener">here</A>.&nbsp; The specific details to <A href="https://techhub.hpe.com/eginfolib/securityalerts/Apache%20Software%20Log4j/Apache_Software_Log4j.html" target="_blank" rel="noopener">CVE-2021-44228 here</A>.&nbsp; You will see that iLO4 and iLO5 are in the not vulnerable list, <A href="https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120086en_us" target="_blank" rel="noopener">here</A>.&nbsp; We are looking to amend the list to include all versions of iLO.</P> Wed, 15 Dec 2021 16:10:54 GMT ChrisLynch 2021-12-15T16:10:54Z https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156427#M6731 <P>As title says, I'm looking to determine if the OneView or OneView Global Dashboard appliances (And iLO interfaces for that matter) are vulnerable to the Log4j vulnerability.</P><P>I chatted with HPE support, but was not confident in their answer. They directed me to this webpage (<A href="https://www.hpe.com/us/en/services/security-vulnerability.html" target="_blank">https://www.hpe.com/us/en/services/security-vulnerability.html</A>) and said OneVeiw is not listed, so that means its not vulnerable. However, no products are listed on that page, so I was looking for a little more positive confirmation that OneVeiw is not vulnerable. Anyone know for certian?</P> Tue, 14 Dec 2021 04:47:14 GMT https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156427#M6731 daax 2021-12-14T04:47:14Z https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156430#M6732 <P style="margin: 0;"><STRONG>System recommended content:</STRONG></P> <P style="margin: 0;">1. <A href="https://community.hpe.com/hpeb/plugins/custom/hp/hpebresponsive/article_click_sprinklr_bot?clickData=eyJxdWVyeVBpcGVsaW5lIjoiU3ByaW5rbHItQXV0b21hdGlvbiIsImRvY3VtZW50VXJpSGFzaCI6IkwxdnJZcHh6w7B4dmFNQ0x0Iiwic291cmNlTmFtZSI6ImNkcC1rbS1kb2N1bWVudC1wcm8taDQtdjIiLCJkb2N1bWVudFRpdGxlIjoiTm90aWNlOiBBcGFjaGUgU29mdHdhcmUgTG9nNGogLSBTZWN1cml0eSBWdWxuZXJhYmlsaXR5IENWRS0yMDIxLTQ0MjI4IiwiYXJ0aWNsZUNsaWNrVXJsIjoiaHR0cHM6Ly9zdXBwb3J0LmhwZS5jb20vaHBlc2MvcHVibGljL2RvY0Rpc3BsYXk/ZG9jSWQ9YTAwMTIwMDg2ZW5fdXMiLCJzZWFyY2hRdWVyeVVpZCI6ImNkNGQ2ZDBhLTgwN2ItNGIwOC04ZTdiLWU4OGFmZjE1YTJiMiJ9" target="_blank" rel="noopener">Notice: Apache Software Log4j - Security Vulnerability CVE-2021-44228</A></P> <P style="margin: 0;">2. <A href="https://community.hpe.com/hpeb/plugins/custom/hp/hpebresponsive/article_click_sprinklr_bot?clickData=eyJxdWVyeVBpcGVsaW5lIjoiU3ByaW5rbHItQXV0b21hdGlvbiIsImRvY3VtZW50VXJpSGFzaCI6IlNBcmFHcjRsV3ZoUEF2bGsiLCJzb3VyY2VOYW1lIjoiY2RwLWttLWRvY3VtZW50LXByby1oNC12MiIsImRvY3VtZW50VGl0bGUiOiJJcyBOb25TdG9wIHN5c3RlbSB2dWxuZXJhYmxlIHRvIENWRS0yMDIxLTQ0MjI4PyIsImFydGljbGVDbGlja1VybCI6Imh0dHBzOi8vc3VwcG9ydC5ocGUuY29tL2hwZXNjL3B1YmxpYy9kb2NEaXNwbGF5P2RvY0lkPW5zMjExMjQ1MzUwNDIzZW5fdXMiLCJzZWFyY2hRdWVyeVVpZCI6ImNkNGQ2ZDBhLTgwN2ItNGIwOC04ZTdiLWU4OGFmZjE1YTJiMiJ9" target="_blank" rel="noopener">Is NonStop system vulnerable to CVE-2021-44228?</A></P> <P style="margin: 0;">&nbsp;</P> <P style="margin: 0;">If the above information is helpful, then please click on "Thumbs Up/Kudo" icon.</P> <P style="margin: 0;">&nbsp;</P> <P style="margin: 0;">Thank you for being a HPE community member.</P> Mon, 13 Dec 2021 22:45:55 GMT https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156430#M6732 support_s 2021-12-13T22:45:55Z https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156431#M6733 HPE OneView and OneView Global Dashboard are not vulnerable to the log4j exploit. While both use log4j, it is an older version without the exploit and does not allow an external attacker access to its endpoint (it is restricted to internal authenticated services only).<BR /><BR />iLO does not use log4j at all, in any firmware version for any generation of ASIC. Mon, 13 Dec 2021 22:55:12 GMT https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156431#M6733 ChrisLynch 2021-12-13T22:55:12Z https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156517#M6734 <P>Thank you!</P> Tue, 14 Dec 2021 16:05:55 GMT https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156517#M6734 daax 2021-12-14T16:05:55Z https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156518#M6735 <P>Thank you!</P> Tue, 14 Dec 2021 16:06:32 GMT https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156518#M6735 daax 2021-12-14T16:06:32Z https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156596#M6740 <P>Just a quick question, you said iLO doesn't use Log4j, But i was under the impression that HPE are currently making a new iLO version to fix this, am I wrong?</P> Wed, 15 Dec 2021 09:17:14 GMT https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156596#M6740 cesarpegado 2021-12-15T09:17:14Z https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156652#M6741 <BLOCKQUOTE><P><SPAN>Just a quick question, you said iLO doesn't use Log4j, But i was under the impression that HPE are currently making a new iLO version to fix this, am I wrong?</SPAN></P></BLOCKQUOTE><P>I'm not sure where you recieved that information from, but iLO is <STRONG>not</STRONG> impacted by CVE-2021-44228.&nbsp; We document major vulnerabilities <A href="https://www.hpe.com/us/en/services/security-vulnerability.html" target="_blank" rel="noopener">here</A>.&nbsp; The specific details to <A href="https://techhub.hpe.com/eginfolib/securityalerts/Apache%20Software%20Log4j/Apache_Software_Log4j.html" target="_blank" rel="noopener">CVE-2021-44228 here</A>.&nbsp; You will see that iLO4 and iLO5 are in the not vulnerable list, <A href="https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120086en_us" target="_blank" rel="noopener">here</A>.&nbsp; We are looking to amend the list to include all versions of iLO.</P> Wed, 15 Dec 2021 16:10:54 GMT https://community.hpe.com/t5/hpe-oneview/is-oneview-vulnerable-to-the-apache-software-log4j-vulnerability/m-p/7156652#M6741 ChrisLynch 2021-12-15T16:10:54Z