HPE 3PAR StoreServ Storage

Re: SSMC and log4j vulnerability

 
SOLVED
Go to solution
AerCapTeam
New Member

Re: SSMC and log4j vulnerability

Hi @sbhat09 ,

Can we get PM with solution, please.

Regards,

Alan

sbhat09
HPE Pro
Solution

Re: SSMC and log4j vulnerability

GREAT NEWS!

The latest SSMC update version 3.8.2.1 is available for download - https://myenterpriselicense.hpe.com/cwp-ui/free-software/SSMC_CONSOLE

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.


I am an HPE Employee

Accept or Kudo

BBARBAROS
Advisor

Re: SSMC and log4j vulnerability

Do you know any upgrade issues/ problems about 3.82 or 3.8.2.1 ?

I`ve got 3.8.1 but no matter what I tried I cannot upgrade to 3.8.2.1...Package uploads, I start the upgrade but ssmc never reboots, it stays at 3.8.1  

sbhat09
HPE Pro

Re: SSMC and log4j vulnerability

Hello @BBARBAROS,

That is strange though. Please ensure your system meets all the resource/networking/port/firewall requirements to install SSMC v3.8.2.1.

Is there any error you noticed after installing v3.8.2.1? What are the OS versions of the SSMC connected 3PAR systems? Can you please try to create a new VM and freshly instal the v3.8.21?

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.


I am an HPE Employee

Accept or Kudo

BBARBAROS
Advisor

Re: SSMC and log4j vulnerability

3.8.2 and 3.8.2.1 are security updates installed on 3.8.0, not fresh installations.

I upgarded to 3.8.1 with no problem.

I don`t get any errors for 3.8.2/3.8.2.1. The upgrade process runs but nothing happens.

andrewk4
Visitor

Re: SSMC and log4j vulnerability

Successfully upgraded to 3.8.2.1.9 (upgraded from 3.8.2.0.39) without issue.

Download .iso, log into SSMC admin and Upgrade with .star file

Is there any confirmation that 3.8.2.1 fixes the log4j vulnerability? I could not find any detailed release notes. Do we need to redo or undo anything if we had applied the workaround?

Thanks

Re: SSMC and log4j vulnerability

Customers who have implemented the configuration change to mitigate the issue, which later were found to be incomplete do NOT need to revert anything. Upgrading to SSMC 3.8.2.1 fully fixes the reported issue.

Note that the version reported in the lower right corner after the upgrade will show "3.8.2.1.9"

 

I am an HPE Employee

Accept or Kudo

sbhat09
HPE Pro

Re: SSMC and log4j vulnerability

Hello @andrewk4,

My source of information (from developers) confirmed that SSMC 3.8.2.1 or above is safe against the current log4j vulnerability.

Though the release notes don't mention directly, it states that "the version includes important security fixes and adhere to NIST SP 800-53 guidelines". Please check the details of the guidelines for additional details.

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.


I am an HPE Employee

Accept or Kudo

Re: SSMC and log4j vulnerability

SSMC with version 3.3.1 running as a service on windows is most likly impacted.

You should move to the appliance model and run with the latest version.

Note that the development of SSMC for windows has stopped with version 3.3.1 in April 2018.

Since then, no further fixes were implemented and the version therefore most likly has other missing security fixes as well.

HPE always recommends to update to the latest version,, or solution..

Hope that helps 

 

I am an HPE Employee

Accept or Kudo

areus
Occasional Visitor

Re: SSMC and log4j vulnerability

And how can we move to the appliance model? I've inherited the administration of a 3PAR system and need to keep it running, but I have no idea how to replace the current SSMC with the latest SSMC that HPE is offering. Please advise.