- Community Home
- >
- Storage
- >
- HPE SimpliVity
- >
- Re: vCenter workaround for CVE-2021-44228 (Apache ...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-15-2021 04:45 AM
12-15-2021 04:45 AM
Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-15-2021 06:07 AM
12-15-2021 06:07 AM
Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)
I opened a support case (HPE Support Case 5360796459) with HPE and they recommended the VMWare published workaround. So I take that as the official word.
Please review the below advisory.
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us
Workaround to fix the issue.
https://kb.vmware.com/s/article/87081?lang=en_US
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-15-2021 06:23 AM - edited 12-15-2021 06:24 AM
12-15-2021 06:23 AM - edited 12-15-2021 06:24 AM
Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)
Hello @Brian_Galante
While there is a workaround from VMware to remediate the issue, it hasn't been qualified for Simplivity systems. Please visit the customer advisory for updates, once a workaround or resolution is available it will be communicated accordingly.
I am an HPE employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2021 03:08 AM - edited 12-16-2021 03:11 AM
12-16-2021 03:08 AM - edited 12-16-2021 03:11 AM
Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)
@gustenar wrote:While there is a workaround from VMware to remediate the issue, it hasn't been qualified for Simplivity systems. Please visit the customer advisory for updates, once a workaround or resolution is available it will be communicated accordingly.
THIS. Exactly this is why SimpliVity is so bad. You guys take months to release software updates only to notice that once you release software (or take it back because you decide it is only valdi for a new product) it is unsuitable already. Clearly with this attitude you should not play the HCI game where you highly depend on software (hypervisor) from another party.
Of all the vendors we have in our company, none is sooo slow with giving information about affected products - not even mentioning any workarounds.
HPE seems to live in a bubble where time runs a little slower and hackers stay away because they pitty us for using HPE products.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2021 11:59 AM
12-16-2021 11:59 AM
Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)
This HPE security bulletin says SimpliVity and OmniCube are affected, but makes no mention of the vCenter which the OVC's are depenent upon....
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us
The CyberSec and IT Mgmt at my company are pressuring me to apply the vmware fix, but I've been burned in the past by not waiting for HPE with regards to vCenter for SimpliVity updates.
So I wait.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2021 12:42 AM
12-17-2021 12:42 AM
Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)
FYI: I have applied the vCenter modifications as soon as VMware recommended them and have not had any issues with my SimpliVity systems since. YMMV.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2021 12:43 AM
12-17-2021 12:43 AM
Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)
I have applied vCenter Python Log4j Workaround script on ~ 12 Simplivity clusters with no issue so far.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2021 08:46 AM
12-18-2021 08:46 AM
Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)
I can also confirm that the VMware Workaround had no impact on Simplivity. I would go ahead and mitigate the vulnerability ASAP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 11:15 AM
12-20-2021 11:15 AM
Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)
I may have missed it but I still don't see that the VMWare workaround, vcenter in my case, has been qualified for Simplivity systems yet. Anyone have any updates?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 11:24 PM
12-20-2021 11:24 PM
Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)
Well you can wait a couple of weeks that they come out with an official statement that the workaround is qualified for Simplivity. If you are unlucky, your system gets encryptet in the meantime. Apply the existing workarounds now!