HPE Community
HPE 3PAR StoreServ Storage
1760000 Members
3024 Online
108889 Solutions
New Discussion

Re: SSMC and log4j vulnerability

 
SOLVED
Go to solution
sbhat09
HPE Pro

‎12-14-2021 03:13 AM

‎12-14-2021 03:13 AM

Re: SSMC and log4j vulnerability

Hello @Raz2,

Here is the list of HPE Products that are NOT affected by the vulnerability (after recommended upgrade). HPE is working on to safeguard rest of the actively supported products. Please refer the list below:

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00120086en_us

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.


I am an HPE Employee

Accept or Kudo

Reply
monardo
Visitor

‎12-14-2021 03:32 AM

‎12-14-2021 03:32 AM

Re: Query: SSMC and log4j vulnerability

Dear HPE, so the SSMC version 3.7.2 can be vulnerable ? 

thanks a lot

Monardo

0 Kudos
Reply
sbhat09
HPE Pro

‎12-14-2021 04:18 AM - edited ‎12-14-2021 04:44 AM

‎12-14-2021 04:18 AM - edited ‎12-14-2021 04:44 AM

Re: Query: SSMC and log4j vulnerability

Hello @monardo,

This vulnerability was just found last week (9th December 2021 I think). SSMC 3.7.2 is the older release.

As per my news sources, in it's standard form, I don't think SSMC v3.7.2 is vulnerable in a secured network. However, HPE has not confirmed that v3.7.2 is safeguarded from the vulnerability as well. Vulnerability also depends on your network security, other cloud and web application, APIs and other plugins.

I recommend you to get that confirmed by your IT security team.

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.


I am an HPE Employee

Accept or Kudo

0 Kudos
Reply
ArjanSchepers
Established Member

‎12-14-2021 04:19 AM

‎12-14-2021 04:19 AM

Re: SSMC and log4j vulnerability

Yes, please keep us posted. "Looks like the vulnerability is fixed" is not good enough for us, we need to be sure. In the meantime, we shut down the SSMC appliance.

0 Kudos
Reply
sbhat09
HPE Pro

‎12-14-2021 04:54 AM

‎12-14-2021 04:54 AM

Re: SSMC and log4j vulnerability

Hello @ArjanSchepers,

This notice (URL below) states that 3PAR, Primera, alletra and several other HPE systems are safe from the vulnerability. But doesn't explicitly confirms about the SSMC. I will post it here when I can get that confirmation.

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00120086en_us

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.


I am an HPE Employee

Accept or Kudo

0 Kudos
Reply
aireynol
Valued Contributor

‎12-14-2021 05:03 AM

‎12-14-2021 05:03 AM

Re: SSMC and log4j vulnerability

3.8.2 is still vulnerable in my testing. I have also heard reports Service Processor is vulnerable although I have not been able to confirm with testing.

0 Kudos
Reply
monardo
Visitor

‎12-14-2021 05:50 AM

‎12-14-2021 05:50 AM

Re: SSMC and log4j vulnerability

Yes, I saw this document and it is not totally complete... 

0 Kudos
Reply
sbhat09
HPE Pro

‎12-14-2021 06:06 AM

‎12-14-2021 06:06 AM

Re: SSMC and log4j vulnerability

Got an update that SSMC v3.8.2 is not confirmed as safe against the 'log4j' vulnerability.

The fix for the vulnerability is in progress. But there s a workaround available as well. Please contact HPE support if waiting for the fix is not an option for you.

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.


I am an HPE Employee

Accept or Kudo

Reply
fnbit
Occasional Advisor

‎12-14-2021 10:11 AM

‎12-14-2021 10:11 AM

Re: SSMC and log4j vulnerability

From what I can tell, SSMC 3.8.2 is patching a completely different CVE (CVE-2021-29214)...I think its release timing of December 9th is what's confusing. I would imagine that 3.8.2 is stil vulnerable to CVE-2021-44228.

 CVE-2021-29214 

vs

CVE-2021-44228 

0 Kudos
Reply
ArjanSchepers
Established Member

‎12-15-2021 03:47 AM

‎12-15-2021 03:47 AM

Re: SSMC and log4j vulnerability

Can you please post the workaround? I'm currently juggling around with at least 5 affected products in my organization, I do not have time to contact each supplier individually. We need a public facing website with workarounds, patches or other means of mitigation. Thank you @sbhat09 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.