HPE Community
HPE OneView
1752777 Members
6009 Online
108789 Solutions
New Discussion юеВ

Re: Query: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-4422

 
SOLVED
Go to solution
daax
Occasional Advisor

тАО12-13-2021 01:45 PM - last edited on тАО12-13-2021 08:47 PM by

тАО12-13-2021 01:45 PM - last edited on тАО12-13-2021 08:47 PM by

Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-44228)?

As title says, I'm looking to determine if the OneView or OneView Global Dashboard appliances (And iLO interfaces for that matter) are vulnerable to the Log4j vulnerability.

I chatted with HPE support, but was not confident in their answer. They directed me to this webpage (https://www.hpe.com/us/en/services/security-vulnerability.html) and said OneVeiw is not listed, so that means its not vulnerable. However, no products are listed on that page, so I was looking for a little more positive confirmation that OneVeiw is not vulnerable. Anyone know for certian?

0 Kudos
Reply
6 REPLIES 6
support_s
System Recommended

тАО12-13-2021 02:45 PM

тАО12-13-2021 02:45 PM

Solution

Query: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-44228)?

System recommended content:

1. Notice: Apache Software Log4j - Security Vulnerability CVE-2021-44228

2. Is NonStop system vulnerable to CVE-2021-44228?

 

If the above information is helpful, then please click on "Thumbs Up/Kudo" icon.

 

Thank you for being a HPE community member.


Accept or Kudo

Reply
ChrisLynch
HPE Pro

тАО12-13-2021 02:54 PM - edited тАО12-13-2021 02:55 PM

тАО12-13-2021 02:54 PM - edited тАО12-13-2021 02:55 PM

Re: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-44228)?

HPE OneView and OneView Global Dashboard are not vulnerable to the log4j exploit. While both use log4j, it is an older version without the exploit and does not allow an external attacker access to its endpoint (it is restricted to internal authenticated services only).

iLO does not use log4j at all, in any firmware version for any generation of ASIC.

I am an HPE employee

Accept or Kudo

Reply
daax
Occasional Advisor

тАО12-14-2021 08:05 AM

тАО12-14-2021 08:05 AM

Re: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-44228)?

Thank you!

0 Kudos
Reply
daax
Occasional Advisor

тАО12-14-2021 08:06 AM

тАО12-14-2021 08:06 AM

Re: Query: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-4422

Thank you!

0 Kudos
Reply
cesarpegado
Valued Contributor

тАО12-15-2021 01:17 AM

тАО12-15-2021 01:17 AM

Re: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-44228)?

Just a quick question, you said iLO doesn't use Log4j, But i was under the impression that HPE are currently making a new iLO version to fix this, am I wrong?

0 Kudos
Reply
ChrisLynch
HPE Pro

тАО12-15-2021 08:10 AM

тАО12-15-2021 08:10 AM

Re: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-44228)?

Just a quick question, you said iLO doesn't use Log4j, But i was under the impression that HPE are currently making a new iLO version to fix this, am I wrong?

I'm not sure where you recieved that information from, but iLO is not impacted by CVE-2021-44228.  We document major vulnerabilities here.  The specific details to CVE-2021-44228 here.  You will see that iLO4 and iLO5 are in the not vulnerable list, here.  We are looking to amend the list to include all versions of iLO.


I am an HPE employee

Accept or Kudo

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.