- Community Home
- >
- Storage
- >
- Midrange and Enterprise Storage
- >
- HPE 3PAR StoreServ Storage
- >
- SSMC and log4j vulnerability
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 08:09 AM
12-20-2021 08:09 AM
Re: SSMC and log4j vulnerability
@areus I am also a novice, but i would create a new VM appliance with the SSMC ISO, then power off the windows SSMC and attach the storage units to the new appliance via the admin console.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 08:30 AM
12-20-2021 08:30 AM
Re: SSMC and log4j vulnerability
good day,
Would you be able to send me the fix as well, thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 08:34 AM
12-20-2021 08:34 AM
Re: SSMC and log4j vulnerability
Hello wardb007,
The latest SSMC update version 3.8.2.1 is available for download - https://myenterpriselicense.hpe.com/cwp-ui/free-software/SSMC_CONSOLE
Please, next time, click on "Go to solution" as the above is just of copy of it.
Hope that helps.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 11:44 AM
12-20-2021 11:44 AM
Re: SSMC and log4j vulnerability
Any one know where the link to download upgrade to SSMC 3.6 is at? I have a SSMC at 3.5.0.0.165, and the release notes for 3.8 says to upgrade to 3.6 first.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 01:34 PM
12-20-2021 01:34 PM
Re: SSMC and log4j vulnerability
Please read this post and let me know if you have any questions.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-21-2021 08:06 AM - edited 12-21-2021 11:50 AM
12-21-2021 08:06 AM - edited 12-21-2021 11:50 AM
Re: SSMC and log4j vulnerability
Hello Srinivas - apologies in advance, but it's hard to follow all the changes going on.
It looks like the fix which was released is for a virtual appliance. We are running the old (inform) 3PAR Management Console 4.7.1.2 application installed on a Windows Server.
1) is this product vulnerable? I do see a log4j.jar library present in the program folder
2) if vulnerable, is there a plan for the old Windows based software to be patched?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 12:27 AM
12-22-2021 12:27 AM
Re: SSMC and log4j vulnerability
Due to lack of resources, SSMC hasn't been upgraded since deployment. My upgrade path and issues are
- 3.31.25068 (Win2019) to 3.6.0.0.269 (new Appliance)
- Used "SSMC Migration Tool" to migrate data 3.3 to 3.6
- Clusters and Certs Migrate
- NO USER ACCOUNTS - Unable to log into Management Console (Admin Console available with SSMCADMIN)
- 3.60 to 3.812 upgrade FAILS
- Uploaded proper STAR file. Upload proceeds, several disconnects (expected). Console comes back with 3.60 version (no error messages)
Please advise. I am stuck with a 3.60 Appliance, no way to log in. All attempts at upgrades to patched version fail.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 01:25 AM
12-22-2021 01:25 AM
Re: SSMC and log4j vulnerability
> NO USER ACCOUNTS - Unable to log into Management Console (Admin Console available with SSMCADMIN)
This is normal. Apart from the "ssmcadmin" user, the SSMC-appliance itself does not maintain user-accounts.
User-accounts are handled via 3PAR/Primera user-credentials, which can also use LDAP/AD. So with other words: If you logon e.g. via 3paradm to the SSMC-webgui, SSMC will talk to the connected arrays and let them verify the credentials.
> 3.60 to 3.812 upgrade FAILS
> Uploaded proper STAR file. Upload proceeds, several disconnects (expected). Console comes back with 3.60 version (no error messages)
You should open support case for this. Alternately you may find some information in /var/log/applilance.log.
To read the file you need to ssh to the TUI, then exit to shell.
> Please advise. I am stuck with a 3.60 Appliance, no way to log in. All attempts at upgrades to patched version fail.
As you are able to attempt to update, i assume that you are able to login to the administration page via ssmcadmin user.
If not... Starting with SSMC 3.6, the former admin-account has been merged/deleted and is now "ssmcadmin".
The default "ssmcadmin" user password is "ssmcadmin" and the appliance will force you to change this when you first-time login to the appliance.
This is also documented in the admin guide.
If the upgrade from 3.6 to 3.8.2.1 fails, then try to upgrade to 3.7, or 3.8 first.
Hope that helps, otherwise I recommend to open a support case.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 05:32 AM
12-22-2021 05:32 AM
Re: SSMC and log4j vulnerability
@GregMoss wrote:- 3.60 to 3.812 upgrade FAILS
- Uploaded proper STAR file. Upload proceeds, several disconnects (expected). Console comes back with 3.60 version (no error messages)
Finally, someone else is also having the same problem I`ve been dealing with....I`m not alone
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 05:37 AM
12-22-2021 05:37 AM
Re: SSMC and log4j vulnerability
# started with SSMC 3.5
Upgrade #1: HPESSMC-3.6.0.0.269-Appliance_Upgrade.star
Upgrade #2:HPESSMC-3.8.0.0.330-Appliance_Upgrade.star
Upgrade #3:HPESSMC-3.8.2.1.9-Appliance_Upgrade.star
V/r,
Darren DeHaven
Systems Architect
Refugee Processing Center
U.S. Department of State, PRM/A
1401 Wilson Blvd. Suite 1100
Arlington, VA 22209
Office: 703-907-7212
[Portal]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 12:04 PM
12-22-2021 12:04 PM
Re: SSMC and log4j vulnerability
Thank you for this. I was going to attempt (another) serial upgrade, but was unclear on next versioning would best work.
Will post results.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 12:08 PM
12-22-2021 12:08 PM
Re: SSMC and log4j vulnerability
Official response from HPE "Recommending to reboot the VM and let us know if the SSMC login works again." This translates to "We have no idea or clue" (Have you Turned it off and on again?). I had,more than several times. I would have hoped for at least log collection. HPE pushes the definition of "support".
I am going to try a serial upgrade (as suggested, and accomplished by another user)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 12:25 PM
12-22-2021 12:25 PM
Re: SSMC and log4j vulnerability
Thank you for the indepth reply,
After the original post, I ran the migration again (to capture results). Users did appear (Understood that they aren't maintained in SSMC). The only data I had seen at that point was Cluster Connections (and Certs). I was unclear on what the Migration tool had brought over (i.e. LDAP and AD connections).
I did open a ticket (with above mentioned results). HPE's response wass reboot. I am going to folllow your and another poster's advice and make it a multi-step serial upgrade (I wasn't going on holiday anyway....)
Thank you again, and I will post results.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 01:36 PM - edited 12-22-2021 06:01 PM
12-22-2021 01:36 PM - edited 12-22-2021 06:01 PM
Re: SSMC and log4j vulnerability
@sbhat09 Thanks for this link to the updated appliance!
However, after upgrading my SSMC can no longer connect to my 7400 units. It connects to my 8400 no problem. At first I thought it was a cert issue, but re-issuing the certs did not help (after cert acceptance, the connect still fails). Any ideas?? Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 05:33 PM
12-22-2021 05:33 PM
Re: SSMC and log4j vulnerability
Hello @credmond,
HPE stopped updates and support for Management Console since more than 5 years. There will not be any support if the Management Console is found vulnerable.
Please upgrade to latest version of SSMC.
Regards,
Srinivas Bhat
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 05:38 PM
12-22-2021 05:38 PM
Re: SSMC and log4j vulnerability
Srinivas - thank you for the confirmation, much appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 05:42 PM
12-22-2021 05:42 PM
Re: SSMC and log4j vulnerability
THat is a HORRIBLE answer, we are ALL trying to do that.
Sorry, but I've been trying to get to the latest version (as have many others here) for days. You comment is a slap in the face to all of us struggling to install YOUR product.
If you're not going to help, don't post.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 05:46 PM
12-22-2021 05:46 PM
Re: SSMC and log4j vulnerability
I found it in my Enterprise agreement.
I also had to go from 3.3 to 3.6. However, I cannot get 3.6 to upgrade. I am in middle of attempting serial upgrade and will try to do 3.6 to 3.6.1 (3.6 to all above 3.61 has failed)
HPE is not helping here. Latest comment was "install latest version". After 3 days on this, I'd slap him if he said that to my face....
Good luck, I will post results if works.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 05:53 PM
12-22-2021 05:53 PM
Re: SSMC and log4j vulnerability
Hello @GregMoss,
HPE stopped Management console more than 5 years ago and released the alternative tool SSMC which is advanced, much user friendly, convenient and secured. HPE provides updates and complete support to SSMC. It is not within industry standard to update a product which is retired 5 years ago. But you have well supported alternate here.
Srinivas Bhat
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 05:58 PM
12-22-2021 05:58 PM
Re: SSMC and log4j vulnerability
Update.
3.3 to 3.6 successful (Users, LDAP, certs all present)
3.6 to 3.812 Fails, 2.6 to 3.80 Fails, 2,6 to 2,7 Fails.
Trying 2.6 to 2.61 (Suspect it will also Fail)
SR opened. Advise was Reboot (arrrgh). I had several times, did again, No help. All in All HPE has not been at all useful. Very disappointed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 06:36 PM
12-22-2021 06:36 PM
Re: SSMC and log4j vulnerability
@GregMoss Why are you upgrading to 2.6 or 2.7? Try from 3.8.x to 3.8.2.1
-Srinivas Bhat
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 07:26 PM
12-22-2021 07:26 PM
Re: SSMC and log4j vulnerability
"3.6 to 3.812 Fails, 2.6 to 3.80 Fails, 2,6 to 2,7 Fails. " was a mistype. Should read "3.6 to 3.812 Fails, 2.6 to 3.80 Fails, 3.6 to 3.7 Fails. ADDING 3.6 to 3.8 Fails AND 3.6 to 3.8 Fails
SSH'ed in, pulled SSMC.log (2 days old, 22megs), filled with entries (simiar to) Below. I've attached logs to SR with HPE.
2021-12-23 13:36:03.476+1100 ERROR c.h.t.n.i.AlertsLocalizationUtil - Badly formatted introduced version: {"alertType":"EVT_FSVC_STATE_CHANGE","catalogKey":"archiving-event:archiving.cmd.failedvalidation-file-store","customerCorrectiveAction":"An event occurred that requires attention. Contact your authorized service provider for assistance.","forService":false,"introducedVersion":"3.3.1.MU1.P07","messageCode":7208961,"serviceCorrectiveAction":"An event occurred that requires attention. Contact your authorized service provider.","stateText":"FAILED","tier":"general","typeDescription":"File Services state change"}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-23-2021 12:40 PM
12-23-2021 12:40 PM
Re: SSMC and log4j vulnerability
I had no issues upgrading though I always keep fairly up to date and only had to go up one version.
For those having issues though - why not just spin up a fresh install of the latest version? Seems it would be way faster and less hassle. You can always keep the old one around (and offline so not vulnerable) and not delete till ready. Just a thought.
Happy holidays all
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-24-2021 07:41 AM
12-24-2021 07:41 AM
Re: SSMC and log4j vulnerability
Well, we definitely thought about that you can be sure
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-26-2021 07:12 AM
12-26-2021 07:12 AM
Re: SSMC and log4j vulnerability
Try: 3.3 -> 3.6 -> 3.8 -> 3.8.x.x (latest)
Or deploy a new SSMC, then shutdown the old SSMC when convenient