- Community Home
- >
- Storage
- >
- Midrange and Enterprise Storage
- >
- HPE 3PAR StoreServ Storage
- >
- Re: SSMC and log4j vulnerability
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2021 03:13 AM
12-14-2021 03:13 AM
Re: SSMC and log4j vulnerability
Hello @Raz2,
Here is the list of HPE Products that are NOT affected by the vulnerability (after recommended upgrade). HPE is working on to safeguard rest of the actively supported products. Please refer the list below:
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00120086en_us
Regards,
Srinivas Bhat
If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2021 03:32 AM
12-14-2021 03:32 AM
Re: Query: SSMC and log4j vulnerability
Dear HPE, so the SSMC version 3.7.2 can be vulnerable ?
thanks a lot
Monardo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2021 04:18 AM - edited 12-14-2021 04:44 AM
12-14-2021 04:18 AM - edited 12-14-2021 04:44 AM
Re: Query: SSMC and log4j vulnerability
Hello @monardo,
This vulnerability was just found last week (9th December 2021 I think). SSMC 3.7.2 is the older release.
As per my news sources, in it's standard form, I don't think SSMC v3.7.2 is vulnerable in a secured network. However, HPE has not confirmed that v3.7.2 is safeguarded from the vulnerability as well. Vulnerability also depends on your network security, other cloud and web application, APIs and other plugins.
I recommend you to get that confirmed by your IT security team.
Regards,
Srinivas Bhat
If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2021 04:19 AM
12-14-2021 04:19 AM
Re: SSMC and log4j vulnerability
Yes, please keep us posted. "Looks like the vulnerability is fixed" is not good enough for us, we need to be sure. In the meantime, we shut down the SSMC appliance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2021 04:54 AM
12-14-2021 04:54 AM
Re: SSMC and log4j vulnerability
Hello @ArjanSchepers,
This notice (URL below) states that 3PAR, Primera, alletra and several other HPE systems are safe from the vulnerability. But doesn't explicitly confirms about the SSMC. I will post it here when I can get that confirmation.
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00120086en_us
Regards,
Srinivas Bhat
If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2021 05:03 AM
12-14-2021 05:03 AM
Re: SSMC and log4j vulnerability
3.8.2 is still vulnerable in my testing. I have also heard reports Service Processor is vulnerable although I have not been able to confirm with testing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2021 05:50 AM
12-14-2021 05:50 AM
Re: SSMC and log4j vulnerability
Yes, I saw this document and it is not totally complete...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2021 06:06 AM
12-14-2021 06:06 AM
Re: SSMC and log4j vulnerability
Got an update that SSMC v3.8.2 is not confirmed as safe against the 'log4j' vulnerability.
The fix for the vulnerability is in progress. But there s a workaround available as well. Please contact HPE support if waiting for the fix is not an option for you.
Regards,
Srinivas Bhat
If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2021 10:11 AM
12-14-2021 10:11 AM
Re: SSMC and log4j vulnerability
From what I can tell, SSMC 3.8.2 is patching a completely different CVE (CVE-2021-29214)...I think its release timing of December 9th is what's confusing. I would imagine that 3.8.2 is stil vulnerable to CVE-2021-44228.
vs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-15-2021 03:47 AM
12-15-2021 03:47 AM
Re: SSMC and log4j vulnerability
Can you please post the workaround? I'm currently juggling around with at least 5 affected products in my organization, I do not have time to contact each supplier individually. We need a public facing website with workarounds, patches or other means of mitigation. Thank you @sbhat09