HPE SimpliVity
1748213 Members
3066 Online
108759 Solutions
New Discussion

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

 
Håkan Persson_1
Frequent Advisor

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

Brian_Galante
Frequent Advisor

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

I opened a support case (HPE Support Case 5360796459) with HPE and they recommended the VMWare published workaround. So I take that as the official word.

Please review the below advisory. 

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us

Workaround to fix the issue.
https://kb.vmware.com/s/article/87081?lang=en_US

log4j_workaound.JPG

gustenar
HPE Pro

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

Hello @Brian_Galante 

While there is a workaround from VMware to remediate the issue, it hasn't been qualified for Simplivity systems. Please visit the customer advisory for updates, once a workaround or resolution is available it will be communicated accordingly. 


I am an HPE employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Ryan_Hardy
Frequent Advisor

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)


@gustenar wrote:

While there is a workaround from VMware to remediate the issue, it hasn't been qualified for Simplivity systems. Please visit the customer advisory for updates, once a workaround or resolution is available it will be communicated accordingly. 


THIS. Exactly this is why SimpliVity is so bad. You guys take months to release software updates only to notice that once you release software (or take it back because you decide it is only valdi for a new product) it is unsuitable already. Clearly with this attitude you should not play the HCI game where you highly depend on software (hypervisor) from another party.

Of all the vendors we have in our company, none is sooo slow with giving information about affected products - not even mentioning any workarounds.

HPE seems to live in a bubble where time runs a little slower and hackers stay away because they pitty us for using HPE products.

TroyPayne
Occasional Advisor

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

This HPE security bulletin says SimpliVity and OmniCube are affected, but makes no mention of the vCenter which the OVC's are depenent upon....

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us

The CyberSec and IT Mgmt at my company are pressuring me to apply the vmware fix, but I've been burned in the past by not waiting for HPE with regards to vCenter for SimpliVity updates.

So I wait.

Ryan_Hardy
Frequent Advisor

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

FYI: I have applied the vCenter modifications as soon as VMware recommended them and have not had any issues with my SimpliVity systems since. YMMV.

Oliver Pergler
Established Member

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

I have applied vCenter Python Log4j Workaround script on ~ 12 Simplivity clusters with no issue so far.

l_lang
Advisor

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

I can also confirm that the VMware Workaround had no impact on Simplivity. I would go ahead and mitigate the vulnerability ASAP.

Erik Wattnem
Occasional Advisor

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

I may have missed it but I still don't see that the VMWare workaround, vcenter in my case, has been qualified for Simplivity systems yet.  Anyone have any updates?

l_lang
Advisor

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

Well you can wait a couple of weeks that they come out with an official statement that the workaround is qualified for Simplivity. If you are unlucky, your system gets encryptet in the meantime. Apply the existing workarounds now!