SOLVED
System recommended content:
1. Notice: Apache Software Log4j - Security Vulnerability CVE-2021-44228
2. Servlets: log4j synchronized logging issues from multiple JVM processes
If the above information is helpful, then please click on "Thumbs Up/Kudo" icon.
Thank you for being a HPE community member.
The link to download SSMC is still down. I will let you know if I get any updates or the link starts working.
Regards,
Srinivas Bhat
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Latest release notes are not pdf downloads. Release notes for SSMC v3.8.2 is available only for online reference.
You can refer this URL for release notes information https://myenterpriselicense.hpe.com/cwp-ui/free-software/SSMC_CONSOLE
Hyperlinks are available for additional details as well.
Regards
Jyothi (HPE Employee)
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hello @ArjanSchepers,
The release notes (as on 9th Dec 2021) say SSMC v3.8.2 includes "important security fixes that strengthen the security posture of SSMC appliance. HPE strongly recommends that you upgrade your SSMC appliance to this version."
Later (As on 13th Dec 2021) the below document confirms that HPE 3PAR is not affected by 'Log4j' vulnarability.
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00120086en_us
There is no official confirmation about whether the vulnerability is fixed in the SSMC v3.8.2.
I will keep you posted if I can get more details.
Regards,
Srinivas Bhat
If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hello @Raz2,
Here is the list of HPE Products that are NOT affected by the vulnerability (after recommended upgrade). HPE is working on to safeguard rest of the actively supported products. Please refer the list below:
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00120086en_us
Regards,
Srinivas Bhat
If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hello @monardo,
This vulnerability was just found last week (9th December 2021 I think). SSMC 3.7.2 is the older release.
As per my news sources, in it's standard form, I don't think SSMC v3.7.2 is vulnerable in a secured network. However, HPE has not confirmed that v3.7.2 is safeguarded from the vulnerability as well. Vulnerability also depends on your network security, other cloud and web application, APIs and other plugins.
I recommend you to get that confirmed by your IT security team.
Regards,
Srinivas Bhat
If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hello @ArjanSchepers,
This notice (URL below) states that 3PAR, Primera, alletra and several other HPE systems are safe from the vulnerability. But doesn't explicitly confirms about the SSMC. I will post it here when I can get that confirmation.
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00120086en_us
Regards,
Srinivas Bhat
If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Got an update that SSMC v3.8.2 is not confirmed as safe against the 'log4j' vulnerability.
The fix for the vulnerability is in progress. But there s a workaround available as well. Please contact HPE support if waiting for the fix is not an option for you.
Regards,
Srinivas Bhat
If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hello @ArjanSchepers,
I am not allowed to share the workaround publicly. But the security update patch to address 'log4j' vulnerability is in progress and will be released soon.
Till then you can shut-down the SSMC. Use CLI for important administration tasks.
If that is not an option for you, I can personal message you the steps of temporary workaround.
How do you like to go about this?
Regards,
Srinivas Bhat
If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hello @jvbakel,
Sent it.
Regards,
Srinivas Bhat
If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hello @ArjanSchepers ,
Sent it.
Regards,
Srinivas Bhat
If you feel this was helpful please click the KUDOS! thumb below!
Note: All of my comments are my own and are not any official representation of HPE.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]