HPE 3PAR StoreServ Storage
1833772 Members
2315 Online
110063 Solutions
New Discussion

SSMC and log4j vulnerability

 
SOLVED
Go to solution
Cpartipilo
Regular Visitor

Re: SSMC and log4j vulnerability

@areus   I am also a novice, but i would create a new VM appliance with the SSMC ISO, then power off the windows SSMC and attach the storage units to the new appliance via the admin console.  

wardb007
Visitor

Re: SSMC and log4j vulnerability

good day,

 

Would you be able to send me the fix as well, thanks!

 

Re: SSMC and log4j vulnerability

Hello wardb007,

The latest SSMC update version 3.8.2.1 is available for download - https://myenterpriselicense.hpe.com/cwp-ui/free-software/SSMC_CONSOLE

 

Please, next time, click on "Go to solution" as the above is just of copy of it.

Hope that helps.

 



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
goslackware
Occasional Advisor

Re: SSMC and log4j vulnerability

Any one know where the link to download upgrade to SSMC 3.6 is at?  I have a SSMC at 3.5.0.0.165, and the release notes for 3.8 says to upgrade to 3.6 first.

Re: SSMC and log4j vulnerability

Please read this post and let me know if you have any questions.

https://community.hpe.com/t5/HPE-3PAR-StoreServ-Storage/Latest-SSMC-update-v3-8-2-1-is-available-for-download-log4j/m-p/7156990/highlight/true#M7266



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
credmond
Occasional Advisor

Re: SSMC and log4j vulnerability

Hello Srinivas - apologies in advance, but it's hard to follow all the changes going on.

It looks like the fix which was released is for a virtual appliance.  We are running the old (inform) 3PAR Management Console 4.7.1.2 application installed on a Windows Server.

1) is this product vulnerable?  I do see a log4j.jar library present in the program folder
2) if vulnerable, is there a plan for the old Windows based software to be patched?

Thanks!

GregMoss
Occasional Advisor

Re: SSMC and log4j vulnerability

Due to lack of resources, SSMC hasn't been upgraded since deployment. My upgrade path and issues are 

  • 3.31.25068 (Win2019) to 3.6.0.0.269  (new Appliance)
  • Used "SSMC Migration Tool" to migrate data 3.3 to 3.6
    • Clusters and Certs Migrate
    • NO USER ACCOUNTS - Unable to log into Management Console (Admin Console available with SSMCADMIN)
  • 3.60 to 3.812 upgrade FAILS
  • Uploaded proper STAR file. Upload proceeds, several disconnects (expected). Console comes back with 3.60 version (no error messages) 

Please advise. I am stuck with a 3.60 Appliance, no way to log in. All attempts at upgrades to patched version fail.

Re: SSMC and log4j vulnerability

> NO USER ACCOUNTS - Unable to log into Management Console (Admin Console available with SSMCADMIN)

This is normal. Apart from the "ssmcadmin" user, the SSMC-appliance itself does not maintain user-accounts.

User-accounts are handled via 3PAR/Primera user-credentials, which can also use LDAP/AD. So with other words: If you logon e.g. via 3paradm to the SSMC-webgui, SSMC will talk to the connected arrays and let them verify the credentials.

> 3.60 to 3.812 upgrade FAILS

> Uploaded proper STAR file. Upload proceeds, several disconnects (expected). Console comes back with 3.60 version (no error messages) 

You should open support case for this. Alternately you may find some information in /var/log/applilance.log.

To read the file you need to ssh to the TUI, then exit to shell.

> Please advise. I am stuck with a 3.60 Appliance, no way to log in. All attempts at upgrades to patched version fail.

As you are able to attempt to update, i assume that you are able to login to the administration page via ssmcadmin user.

If not... Starting with SSMC 3.6, the former admin-account has been merged/deleted and is now "ssmcadmin".

The default "ssmcadmin" user password is "ssmcadmin" and the appliance will force you to change this when you first-time login to the appliance. 

This is also documented in the admin guide.

If the upgrade from 3.6 to 3.8.2.1 fails, then try to upgrade to 3.7, or 3.8 first.

 

Hope that helps, otherwise I recommend to open a support case.



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
BBARBAROS
Advisor

Re: SSMC and log4j vulnerability


  • @GregMoss wrote:

     

    • 3.60 to 3.812 upgrade FAILS
    • Uploaded proper STAR file. Upload proceeds, several disconnects (expected). Console comes back with 3.60 version (no error messages) 

     


     

Finally, someone else is also having the same problem I`ve been dealing with....I`m not alone  

 

goslackware
Occasional Advisor

Re: SSMC and log4j vulnerability

This is what worked for my SSMC upgrade:
# started with SSMC 3.5
Upgrade #1: HPESSMC-3.6.0.0.269-Appliance_Upgrade.star
Upgrade #2:HPESSMC-3.8.0.0.330-Appliance_Upgrade.star
Upgrade #3:HPESSMC-3.8.2.1.9-Appliance_Upgrade.star

V/r,

Darren DeHaven
Systems Architect
Refugee Processing Center
U.S. Department of State, PRM/A
1401 Wilson Blvd. Suite 1100
Arlington, VA 22209
Office: 703-907-7212
[Portal]
GregMoss
Occasional Advisor

Re: SSMC and log4j vulnerability

Thank you for this. I was going to attempt (another) serial upgrade, but was unclear on next versioning would best work.

Will post results. 

GregMoss
Occasional Advisor

Re: SSMC and log4j vulnerability

Official response from HPE "Recommending to reboot the VM and let us know if the SSMC login works again." This translates to "We have no idea or clue" (Have you Turned it off and on again?). I had,more than several times. I would have hoped for at least log collection. HPE pushes the definition of "support". 

I am going to try a serial upgrade (as suggested, and accomplished by another user)

GregMoss
Occasional Advisor

Re: SSMC and log4j vulnerability

Thank you for the indepth reply,

After the original post, I ran the migration again (to capture results). Users did appear (Understood that they aren't maintained in SSMC). The only data I had seen at that point was Cluster Connections (and Certs). I was unclear on what the Migration tool had brought over (i.e. LDAP and AD connections).

I did open a ticket (with above mentioned results). HPE's response wass reboot. I am going to folllow your and another poster's advice and make it a multi-step serial upgrade (I wasn't going on holiday anyway....)

Thank you again, and I will post results. 

credmond
Occasional Advisor

Re: SSMC and log4j vulnerability

@sbhat09 Thanks for this link to the updated appliance!

However, after upgrading  my SSMC can no longer connect to my 7400 units.  It connects to my 8400 no problem.   At first I thought it was a cert issue, but re-issuing the certs did not help (after cert acceptance, the connect still fails).  Any ideas??  Thanks!

sbhat09
HPE Pro

Re: SSMC and log4j vulnerability

Hello @credmond,

HPE stopped updates and support for Management Console since more than 5 years. There will not be any support if the Management Console is found vulnerable.

Please upgrade to latest version of SSMC.

Regards,

Srinivas Bhat 



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
credmond
Occasional Advisor

Re: SSMC and log4j vulnerability

Srinivas - thank you for the confirmation, much appreciated.

GregMoss
Occasional Advisor

Re: SSMC and log4j vulnerability

THat is a HORRIBLE answer, we are ALL trying to do that.

Sorry, but I've been trying to get to the latest version (as have many others here) for days. You comment is a slap in the face to all of us struggling to install YOUR product.

If you're not going to help, don't post. 

GregMoss
Occasional Advisor

Re: SSMC and log4j vulnerability

I found it in my Enterprise agreement. 

I also had to go from 3.3 to 3.6. However, I cannot get 3.6 to upgrade. I am in middle of attempting serial upgrade and will try to do 3.6 to 3.6.1 (3.6 to all above 3.61 has failed)

HPE is not helping here. Latest comment was "install latest version". After 3 days on this, I'd slap him if he said that to my face....

Good luck, I will post results if works.

sbhat09
HPE Pro

Re: SSMC and log4j vulnerability

Hello @GregMoss,

HPE stopped Management console more than 5 years ago and released the alternative tool SSMC which is advanced, much user friendly, convenient and secured. HPE provides updates and complete support to SSMC. It is not within industry standard to update a product which is retired 5 years ago. But you have well supported alternate here.

Srinivas Bhat



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
GregMoss
Occasional Advisor

Re: SSMC and log4j vulnerability

Update.

3.3 to 3.6 successful (Users, LDAP, certs all present)

3.6 to 3.812 Fails, 2.6 to 3.80 Fails, 2,6 to 2,7 Fails. 

Trying 2.6 to 2.61 (Suspect it will also Fail)

SR opened. Advise was Reboot (arrrgh). I had several times, did again, No help. All in All HPE has not been at all useful. Very disappointed. 

sbhat09
HPE Pro

Re: SSMC and log4j vulnerability

@GregMoss Why are you upgrading to 2.6 or 2.7? Try from 3.8.x to 3.8.2.1

-Srinivas Bhat



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
GregMoss
Occasional Advisor

Re: SSMC and log4j vulnerability

"3.6 to 3.812 Fails, 2.6 to 3.80 Fails, 2,6 to 2,7 Fails. " was a mistype. Should read "3.6 to 3.812 Fails, 2.6 to 3.80 Fails, 3.6 to 3.7 Fails. ADDING 3.6 to 3.8 Fails AND 3.6 to 3.8 Fails

SSH'ed in, pulled SSMC.log (2 days old, 22megs), filled with entries (simiar to) Below. I've attached logs to SR with HPE. 

2021-12-23 13:36:03.476+1100 ERROR c.h.t.n.i.AlertsLocalizationUtil - Badly formatted introduced version: {"alertType":"EVT_FSVC_STATE_CHANGE","catalogKey":"archiving-event:archiving.cmd.failedvalidation-file-store","customerCorrectiveAction":"An event occurred that requires attention. Contact your authorized service provider for assistance.","forService":false,"introducedVersion":"3.3.1.MU1.P07","messageCode":7208961,"serviceCorrectiveAction":"An event occurred that requires attention. Contact your authorized service provider.","stateText":"FAILED","tier":"general","typeDescription":"File Services state change"}

andrewk4
Frequent Visitor

Re: SSMC and log4j vulnerability

I had no issues upgrading though I always keep fairly up to date and only had to go up one version.

For those having issues though - why not just spin up a fresh install of the latest version? Seems it would be way faster and less hassle. You can always keep the old one around (and offline so not vulnerable) and not delete till ready. Just a thought.

Happy holidays all

BBARBAROS
Advisor

Re: SSMC and log4j vulnerability

@andrewk4 

Well, we definitely thought about that you can be sure same result....brand new 3.8, nothing is attached, tried both 3.8 upgrade and 3.8.2.1 upgrade, it wouldn`t do

goslackware
Occasional Advisor

Re: SSMC and log4j vulnerability

Try: 3.3 -> 3.6 -> 3.8 -> 3.8.x.x (latest)

Or deploy a new SSMC, then shutdown the old SSMC when convenient