- Community Home
- >
- Storage
- >
- Midrange and Enterprise Storage
- >
- HPE 3PAR StoreServ Storage
- >
- Latest SSMC update v3.8.2.1 is available for downl...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2021 08:25 PM - edited 12-19-2021 11:55 PM
12-17-2021 08:25 PM - edited 12-19-2021 11:55 PM
Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed
Hello all,
The latest SSMC update v3.8.2.1 is now available for download.
This version includes important security fixes and adheres to NIST SP 800-53 guidelines. It addresses the log4j vulnerability (CVE-2021-44228) as well.
https://myenterpriselicense.hpe.com/cwp-ui/free-software/SSMC_CONSOLE
Regards,
Srinivas Bhat
If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2021 08:13 AM
12-18-2021 08:13 AM
Re: Latest SSMC update v3.8.2.1 is available for download
Thanks for the quick turnaround. Do you have an ETA for Service Processor 5.x patch?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 12:54 AM
12-20-2021 12:54 AM
Re: Latest SSMC update v3.8.2.1 is available for download
Hello @aireynol,
I don't have any updates yet. Are you finding it vulnerable to log4j in your tests?
Regards,
Srinivas Bhat
If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 01:37 AM
12-20-2021 01:37 AM
Re: Latest SSMC update v3.8.2.1 is available for download
I have not been able to independently confirm it is vulnerable however it is listed a vulnerable in the security bulletin so I have shut mine down for now.
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 05:53 AM
12-20-2021 05:53 AM
Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed
Thank you for letting us know! But I don't see any of the .star upgrade packages on that page. Am I just missing them as don't seem to be able to find any .star packages for 3.8 or above, just the ISO files. I am currently on 3.7.2 and it wants the .star upgrade files to do an inplace upgrade.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 06:06 AM
12-20-2021 06:06 AM
Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed
The *.star file is in the iso-file.
If you are on 3.7.x, then you will need to.
0. Create a snapshot on your ESX/vmware/hyperV environment as a backup.
1. download the 3.8.0 iso-file
2. mount the 3.8.0 iso-file on the PC.
3. There you will find the 3.8.0*.star file that you can pick up for the upgrade.
4. download the 3.8.2.1 iso-file
5. mount the 3.8.2.1 iso-file
6. pickup the 3.8.2.1.* star file and do the upgrade.
You may also directly go to 3.8.2.1. But I have not tested this.
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 06:11 AM
12-20-2021 06:11 AM
Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed
Thank you Bertram! Definitely too early on a Monday and need more coffee or I might have remembered that.
Will add that to the notes I have for my team because I left that step out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 08:26 AM
12-20-2021 08:26 AM
Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed
A general comment about SSMC upgrade from older versions. Version 3.4.x and 3.5.x (not the windows 3.3.1 version !!)
First: You can find the version of your SSMC appliance in the right-bottom corner of the SSMC-appliance page.
If your current version is 3.6.x or above, then you can stop reading this post.
If your current version is 3.4.x or 3.5.x then you won´t be able to directly upgrade to version 3.8.2.1.
You either need to first upgrade to version 3.6, or you need to do a new installation of SSMC 3.8.
I would recommend that you do a new installation of SSMC 3.8.0 followed by an upgrade to SSMC 3.8.2.1. A new installation usually does not last more than 30 minutes. Also note that it is possible to run 2 SSMC-instances in parallel, So you can let the old-version running, while the new one is setup. That way you can test the new version. The old instance should then be disconnected as any additional instance adds load the connected arrays.
The upgrade limitation is also documented in the administration guide:
While upgrading from version 3.4.0.x, SSMC does not display any minimum version error message but generally
fails. Hewlett Packard Enterprise recommends you to upgrade to 3.6.0.0 version before upgrading to later
versions. To upgrade to HPE SSMC 3.8.0.0, you must have a minimum version of HPE SSMC 3.6.0.0.
If you have a complex setup (many arrays and many self-created reports) and you prefer to upgrade to SSMC 3.8.2.1 via the interim version of 3.6, then you should open a support case, as the 3.6 version is not available on the HPE-download center.
For those who decide to do this, or who have an 3.6.x version available i also want to emphasize on an important change that came with SSMC 3.6, also mentioned in the administration guide:
Unified Login credentials for Administrative Access from SSMC 3.6 onwards
From HPE SSMC 3.6 release onwards, the web administrator account is merged with the appliance administrator
account. As a result, there is a single locally defined unified application administrator account for all SSMC.
If you are upgrading from a version prior to HPE SSMC 3.6 release, then the web administrator credentials, if
defined already, expires and you have to use ssmcadmin (same password that you use for appliance access)
to log in to the web GUI as well.
The single local account ( ssmcadmin ) remains as the only emergency account for all SSMC
Why this is important:
We had a couple of customers who could not remember the ssmcadmin password. They never, or only once have logged in to the SSMC-TUI and then forgot the password, as with SSMC 3.4.x and SSMc 3.5.x the Web-based-administrator login, the one you use when adding an array, or when upgrading SSMC is a different user, and the TUI access once the SSMC is completly setup, is never used.
So what happened was this:
1. customer logged in via the GUI-admin user and started the upgrade to SSMC 3.6
2. SSMC 3.6 during the upgrade removes the GUI-admin account and merges it with the TUI-ssmcadmin acount.
3. Since the customer forgot about the TUI-ssmcadmin password, they were not able to upgrade further or to add any array. Resetting the password at that point is NOT possible as you need the TUI-ssmcadmin credentials to do this.
HPE-support is also not able to reset the password because there is no root-access on the appliance.
To prevent this from happening you should do this:
Prior to the upgrade from version 3.4.x or 3.5.x to the interim version 3.6.x: Check if you can ssh-login as the "ssmcadmin" user to the TUI . Keep the password in mind as you will need it to do the further updates via the ssmcadmin user.
(One addtional note: Starting with SSMC 3.6, the appliance allows the configuration of a password-recovery via email)
I hope that this was not too confusing.
As i wrote, instead of an upgrade from 3.4.x or 3.5.x, you can do a new installation of 3.8.0 plus an upgrade to 3.8.2.1.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 09:40 AM
12-20-2021 09:40 AM
Re: Latest SSMC update v3.8.2.1 is available for download
Looks like SP 5.0.9.2 will fix it
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00002915en_us
Fixes
The following issue is addressed in 5.0.9.2 release:
Issue ID:
350855
Issue summary:
CVE-2021-44228 and CVE-2021-45046 - Log4j and Log4Shell Security Vulnerabilities.
Affected platforms:
Only SP.
Affected software versions:
All versions from 5.0 onwards.
Issue description:
Security fixes for CVE-2021-44228 (Log4Shell) and CVE-2021-45046 are available in this patch release. Hewlett Packard Enterprise strongly recommends you to upgrade HPE Service Processor to 5.0.9.2 patch release as early as possible.
Conditions of occurrence:
N/A
Impact:
High
Customer circumvention:
Upgrade to patch 5.0.9.2Customer recovery step: N/A
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 02:14 PM
12-20-2021 02:14 PM
Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed
Here's SSMC v3.6: https://myenterpriselicense.hpe.com/cwp-ui/software-update-details?productNumber=HPE_STORAGE_SSMC&version=3.6&impersonationFlow=searchProductByFamilyFlow
ISO: HPE_SSMC_3.6_SW_QR482-11420.iso
You'll need to have contract access to it.
However, I think starting fresh on SSMC 3.8 will be fine.