HPE 3PAR StoreServ Storage

Re: SSMC and log4j vulnerability

 
SOLVED
Go to solution
aireynol
Advisor

SSMC and log4j vulnerability

SSMC 3.8.1 is vulnerable to log4j (cve-2021-44228), if you have any public facing instances I would suggest shutting them down while we wait for a bulletin.

Also myenterpriselicense.hpe.com has been down all morning so can't get 3.8.2 to test against that.

Edit: site is back up

Edit1: 3.8.2 is still vulnerable in my testing. I have also heard reports Service Processor is vulnerable although I have not been able to confirm with testing.

75 REPLIES 75
support_s
System Recommended

Query: SSMC and log4j vulnerability

System recommended content:

1. Notice: Apache Software Log4j - Security Vulnerability CVE-2021-44228

2. Servlets: log4j synchronized logging issues from multiple JVM processes

 

If the above information is helpful, then please click on "Thumbs Up/Kudo" icon.

 

Thank you for being a HPE community member.


Accept or Kudo

QuintonH
New Member

Re: SSMC and log4j vulnerability

The Software Depot site seems to have been down for 24 hours - Have tryied multiple times in this time - Getting errors like:

Internal Server Error - Read

The server encountered an internal error or misconfiguration and was unable to complete your request.

Reference #3.9667cd17.1639443263.1103c702

Can you advise when this site is expected to be back up and running?

 

sbhat09
HPE Pro

Re: SSMC and log4j vulnerability

The link to download SSMC is still down. I will let you know if I get any updates or the link starts working.

Regards,

Srinivas Bhat


I am an HPE Employee

Accept or Kudo

cesarpegado
Valued Contributor

Re: SSMC and log4j vulnerability

I can get the HPE website, but i all i seem to find is release notes for 3.8.2 but i can't find the actual download

Jyothiyash
HPE Pro

Re: SSMC and log4j vulnerability

Latest release notes are not pdf downloads. Release notes for SSMC v3.8.2 is available only for online reference.
You can refer this URL for release notes information  https://myenterpriselicense.hpe.com/cwp-ui/free-software/SSMC_CONSOLE
Hyperlinks are available for additional details as well.

Regards

Jyothi (HPE Employee)

 

 


I am an HPE Employee
Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise

Accept or Kudo

cesarpegado
Valued Contributor

Re: SSMC and log4j vulnerability

Thank you, i can download it from your link

ArjanSchepers
Frequent Visitor

Re: SSMC and log4j vulnerability

So I was able to download 3.8.2. But I cannot find anything if the log4j exploit is fixed or not. Anyone with more information care to chip in?

sbhat09
HPE Pro

Re: SSMC and log4j vulnerability

Hello @ArjanSchepers,

The release notes (as on 9th Dec 2021) say SSMC v3.8.2 includes "important security fixes that strengthen the security posture of SSMC appliance. HPE strongly recommends that you upgrade your SSMC appliance to this version."

Later (As on 13th Dec 2021) the below document confirms that HPE 3PAR is not affected by 'Log4j' vulnarability.

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00120086en_us

There is no official confirmation about whether the vulnerability is fixed in the SSMC v3.8.2.

I will keep you posted if I can get more details.

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.


I am an HPE Employee

Accept or Kudo

Raz2
New Member

Re: SSMC and log4j vulnerability

Hi WE have some old G6 blades and chassis  We wanted to check if these are affected ?

 

Thanks