HPE 3PAR StoreServ Storage
1748244 Members
3914 Online
108760 Solutions
New Discussion

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

 
SebSei
Occasional Visitor

Re: Latest SSMC update v3.8.2.1 is available for download

Thank you very much Mr. Stoeckler. 

Just to make clear: 

"SSMC does NOT use the feature of a "non-default Pattern Layout with a Context Lookup." Does this regards to:

Remediating CVE-2021-45105

It is highly recommended for users of Log4j to upgrade to the latest 2.17.0 version.

If it is not possible at the moment, make sure your Log4j version is at least upgraded to 2.16.0, and ensure you are not using any Context lookups of the form:

${ctx:username}

You can switch such lookups into Thread Context Map patterns, such as:

%X, %mdc, or %MDC

If Context Lookups are mandatory, ensure that there are no such lookups that reference data that is user-controlled in any way.

Copied from https://www.whitesourcesoftware.com/resources/blog/log4j-vulnerability-cve-2021-45105/

Best regards Sebastian Seifert

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

>For customers still running on SSMC v3.3.1.25068, would you also advise doing a new installation to 3.8 , followed by >upgrade to SSMC 3.8.2.1. so that we can run tests with the 2 SSMC instances in parallel

Yes. Either migrate using the migration tool, or do a fresh install.

...> Is this an account associated with 3.4.x or higher as not familiar with that.

Yes.

Starting with SSMC 3.4, SSMC is an appliance running in a VM on a hypervisor like Vmware or Hyper-V.

The appliance is a ready-to-use Linux-based VM, with one single user, the "ssmcadmin" user. 

SSMC 3.4.X and 3.5.x in addtion to the "ssmcadmin" user allowed to have a seperate "Administrator console" user. 

This changed in SSMC 3.6.

Starting with SSMC 3.6 the "ssmcadmin" user is the same as the "Administrator conole" user, which in your case is "3paradm1"

The "3paradm" user is not a SSMC-appliance user. The SSMC-appliance does not maintain different users.

Instead the "3paradm" user is a user that exists on the 3PAR-array(s) connected to SSMC.

When you login as "3paradm", SSMC will let the connected 3PARs do the authentication.

This is/was also the case in the windows-based SSMC version (<3.4)

 

So when you upgrade/install to 3.8.2.1, your former "Administrator console" user will become "ssmcadmin", while the "3paradm" user remains.

 

Hope that helps.

 

 

I am an HPE Employee

Accept or Kudo

Re: Latest SSMC update v3.8.2.1 is available for download

>Just to make clear: 

>"SSMC does NOT use the feature of a "non-default Pattern Layout with a Context Lookup." Does this regards to:

>Remediating CVE-2021-45105

...

 

Yes. That´s correct.

 

 

I am an HPE Employee

Accept or Kudo

sbhat09
HPE Pro

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

Hello @Paolo_c,

For customers still running on SSMC v3.3.1.25068, would you also advise doing a new installation to 3.8 , followed by upgrade to SSMC 3.8.2.1. so that we can run tests with the 2 SSMC instances in parallel?
Ans: Yes. Customers on SSMC v3.3.1 are also recommended to upgrade to v3.8.2.1 via the upgrade path you mentioned.

Also with regards to the ssmcadmin user . Is this an account associated with 3.4.x or higher as not familiar with that. We have a 3paradm user (which has full admin rights, and which i use for presenting storage etc) and also have a 3paradm1 account for logging on as Administrator console.
Ans: The ssmcadmin is the user for administrator console (to add or remove the systems from SSMC etc). But for storage administration purpose you will continue to use the 3paradm user. You can create multiple users with required rights (admin console, full rights, edit, view only etc)

Also am I right in thinking that v3.8 and above can only be installed on a VM ? (our current 3.3.1 SSMC runs under Windows Server 2016.
Ans: Yes. Any SSMC versions 3.4 or above can be installed only on a VM. It is complete appliance which doesn't require a server OS underneath. It can be deployed over a blank VM of VMware or HyperV.

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.


I am an HPE Employee

Accept or Kudo

Paolo_c
Valued Contributor

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

Thanks to everyone for the detailed feedback provided. 

 

 

Paolo_c
Valued Contributor

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

You mention that the "appliance is a ready-to-use Linux-based VM" . Could you please confirm what flavour of Linux (and  version) that is embedded in the appliance  ?  

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

This is the "uname -a" output of an SSMC 3.8.2.0 appliance. 

 

ssmcadmin@ssmc38:/$ uname -a
Linux ssmc38 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux
ssmcadmin@ssmc38:/$

Hope that helps.

 

I am an HPE Employee

Accept or Kudo

fxpester
Occasional Visitor

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

hi, cant download it from HPE main site, error is "HPE regrets to inform you that we are unable to act on your access request at this time due to technical issues we are currently experiencing with user validation."

 

is there any mirrors where I can get SSMC ?

goslackware
Occasional Advisor

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

You'll want to open a ticket, or use the HPE support chat to get access.

If you need to add contracts to your account, send an email with your serial numbers, SAR ID, and SAID ID and any other contract info to: wwusagesupport-cscb@hpe.com

For reference, after you download the updates, do verify the sha256 hashes, below (such as with 7zip, right click the iso file, calculate sha256 hash).

938b06dfe3e0aa511e3018998ae73af2766773ceb21dae3c89d207c26207a8a8 HPE_SSMC_3.6_SW_QR482-11420.iso
3844cd6509e9b956dff8e590c4e3b7ece739db33c5df3ade19493fcffa587e04 HPE_SSMC_3.8.1_QR482-11572.iso
4da7fca8e5e1164fc18871ee2eae78c89772ae0cd6ed4f0a1e45be64ad2fde5d HPE_SSMC_3.8.2.1_QR482-11622.iso
59ea3b76bc4a2c28cbed241c2f7da58b55906e4d9cb5708e93c0ff46c135e1b8 HPE_SSMC_3.8.2_QR482-11610.iso
33af8ba235b8b3793e41ebfa9394378eda6074d687f81831a19de7a2a8d52206 HPE_SSMC_3.8_QR482-11524.iso
5b0eef6fd07b5a82eaba8322ebe0ddc238fa1a01fee5f1d6337e2c450dbb38d4 HPE_SSMC_Excel_client_installer_SW_for_3.8_QR482-10135.iso

Paolo_c
Valued Contributor

Re: Latest SSMC update v3.8.2.1 is available for download - log4j vulnerability fixed

Good morning,  I am trying to upgrade from 3.3.1 to 3.8 on a VM (Kubernetes private managed cloud) . After presenting the iso's to the Data Cloud i created a  new VM and presenting the 3.8.2 iso as the boot image but when i powered on/off the VM and connected by web console it wouldnt book into the s/ware (see images below) so not sure what i need to do to get this software installed on the new VM ?


ScreenHunter 3848.pngScreenHunter 3847.pngScreenHunter 3850.png