HPE OneView

Re: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-44228)?

 
SOLVED
Go to solution
daax
Occasional Contributor

Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-44228)?

As title says, I'm looking to determine if the OneView or OneView Global Dashboard appliances (And iLO interfaces for that matter) are vulnerable to the Log4j vulnerability.

I chatted with HPE support, but was not confident in their answer. They directed me to this webpage (https://www.hpe.com/us/en/services/security-vulnerability.html) and said OneVeiw is not listed, so that means its not vulnerable. However, no products are listed on that page, so I was looking for a little more positive confirmation that OneVeiw is not vulnerable. Anyone know for certian?

6 REPLIES 6
support_s
System Recommended
Solution

Query: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-44228)?

System recommended content:

1. Notice: Apache Software Log4j - Security Vulnerability CVE-2021-44228

2. Is NonStop system vulnerable to CVE-2021-44228?

 

If the above information is helpful, then please click on "Thumbs Up/Kudo" icon.

 

Thank you for being a HPE community member.


Accept or Kudo

ChrisLynch
HPE Pro

Re: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-44228)?

HPE OneView and OneView Global Dashboard are not vulnerable to the log4j exploit. While both use log4j, it is an older version without the exploit and does not allow an external attacker access to its endpoint (it is restricted to internal authenticated services only).

iLO does not use log4j at all, in any firmware version for any generation of ASIC.

I am an HPE employee

Accept or Kudo

daax
Occasional Contributor

Re: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-44228)?

Thank you!

daax
Occasional Contributor

Re: Query: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-4422

Thank you!

cesarpegado
Valued Contributor

Re: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-44228)?

Just a quick question, you said iLO doesn't use Log4j, But i was under the impression that HPE are currently making a new iLO version to fix this, am I wrong?

ChrisLynch
HPE Pro

Re: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-44228)?

Just a quick question, you said iLO doesn't use Log4j, But i was under the impression that HPE are currently making a new iLO version to fix this, am I wrong?

I'm not sure where you recieved that information from, but iLO is not impacted by CVE-2021-44228.  We document major vulnerabilities here.  The specific details to CVE-2021-44228 here.  You will see that iLO4 and iLO5 are in the not vulnerable list, here.  We are looking to amend the list to include all versions of iLO.


I am an HPE employee

Accept or Kudo