HPE Community
HPE 3PAR StoreServ Storage
1753871 Members
7366 Online
108809 Solutions
New Discussion

SSMC and log4j vulnerability

 
SOLVED
Go to solution
aireynol
Valued Contributor

‎12-13-2021 06:12 AM - edited ‎12-14-2021 05:03 AM

‎12-13-2021 06:12 AM - edited ‎12-14-2021 05:03 AM

SSMC and log4j vulnerability

SSMC 3.8.1 is vulnerable to log4j (cve-2021-44228), if you have any public facing instances I would suggest shutting them down while we wait for a bulletin.

Also myenterpriselicense.hpe.com has been down all morning so can't get 3.8.2 to test against that.

Edit: site is back up

Edit1: 3.8.2 is still vulnerable in my testing. I have also heard reports Service Processor is vulnerable although I have not been able to confirm with testing.

Reply
75 REPLIES 75
support_s
System Recommended

‎12-13-2021 07:12 AM

‎12-13-2021 07:12 AM

Query: SSMC and log4j vulnerability

System recommended content:

1. Notice: Apache Software Log4j - Security Vulnerability CVE-2021-44228

2. Servlets: log4j synchronized logging issues from multiple JVM processes

 

If the above information is helpful, then please click on "Thumbs Up/Kudo" icon.

 

Thank you for being a HPE community member.


Accept or Kudo

0 Kudos
Reply
QuintonH
Occasional Visitor

‎12-13-2021 05:35 PM

‎12-13-2021 05:35 PM

Re: SSMC and log4j vulnerability

The Software Depot site seems to have been down for 24 hours - Have tryied multiple times in this time - Getting errors like:

Internal Server Error - Read

The server encountered an internal error or misconfiguration and was unable to complete your request.

Reference #3.9667cd17.1639443263.1103c702

Can you advise when this site is expected to be back up and running?

 

0 Kudos
Reply
sbhat09
HPE Pro

‎12-13-2021 07:58 PM

‎12-13-2021 07:58 PM

Re: SSMC and log4j vulnerability

The link to download SSMC is still down. I will let you know if I get any updates or the link starts working.

Regards,

Srinivas Bhat


I am an HPE Employee

Accept or Kudo

0 Kudos
Reply
cesarpegado
Valued Contributor

‎12-14-2021 01:21 AM

‎12-14-2021 01:21 AM

Re: SSMC and log4j vulnerability

I can get the HPE website, but i all i seem to find is release notes for 3.8.2 but i can't find the actual download

0 Kudos
Reply
Jyothiyash
HPE Pro

‎12-14-2021 01:49 AM

‎12-14-2021 01:49 AM

Re: SSMC and log4j vulnerability

Latest release notes are not pdf downloads. Release notes for SSMC v3.8.2 is available only for online reference.
You can refer this URL for release notes information  https://myenterpriselicense.hpe.com/cwp-ui/free-software/SSMC_CONSOLE
Hyperlinks are available for additional details as well.

Regards

Jyothi (HPE Employee)

 

 


I am an HPE Employee
Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise

Accept or Kudo

Reply
cesarpegado
Valued Contributor

‎12-14-2021 02:01 AM

‎12-14-2021 02:01 AM

Re: SSMC and log4j vulnerability

Thank you, i can download it from your link

0 Kudos
Reply
ArjanSchepers
Established Member

‎12-14-2021 02:09 AM

‎12-14-2021 02:09 AM

Re: SSMC and log4j vulnerability

So I was able to download 3.8.2. But I cannot find anything if the log4j exploit is fixed or not. Anyone with more information care to chip in?

0 Kudos
Reply
sbhat09
HPE Pro

‎12-14-2021 02:22 AM - edited ‎12-14-2021 05:07 AM

‎12-14-2021 02:22 AM - edited ‎12-14-2021 05:07 AM

Re: SSMC and log4j vulnerability

Hello @ArjanSchepers,

The release notes (as on 9th Dec 2021) say SSMC v3.8.2 includes "important security fixes that strengthen the security posture of SSMC appliance. HPE strongly recommends that you upgrade your SSMC appliance to this version."

Later (As on 13th Dec 2021) the below document confirms that HPE 3PAR is not affected by 'Log4j' vulnarability.

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00120086en_us

There is no official confirmation about whether the vulnerability is fixed in the SSMC v3.8.2.

I will keep you posted if I can get more details.

Regards,
Srinivas Bhat

If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.


I am an HPE Employee

Accept or Kudo

Reply
Raz2
New Member

‎12-14-2021 03:02 AM

‎12-14-2021 03:02 AM

Re: SSMC and log4j vulnerability

Hi WE have some old G6 blades and chassis  We wanted to check if these are affected ?

 

Thanks

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.