HPE Community
HPE SimpliVity
1833758 Members
2760 Online
110063 Solutions
New Discussion

log4j vulnerability in OmniStack itself?

 
elange
Occasional Advisor

‎12-20-2021 11:28 PM - last edited on ‎01-04-2022 12:05 AM by

‎12-20-2021 11:28 PM - last edited on ‎01-04-2022 12:05 AM by

log4j vulnerability in OmniStack itself?

Hello,

 

i am a bit curious as there is only the thread about the vcenter here in the forum.

According to security bulletin hpesbgn04215en_us it seems all OmniStacks versions are affected from this issue.

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us

 

Sure, there must be some kind of word or workaround about it?

 

Hoping for the workaround instructions. Change the log4j config if required in the OmniStack and restart the service?

 

Am i just missing the correct thread?

 

Still several weeks before we can get rid of the legacy Hardware ...

 

Regards,

El

0 Kudos
Reply
6 REPLIES 6
support_s
System Recommended

‎12-21-2021 12:29 AM

‎12-21-2021 12:29 AM

Query: log4j vulnerability in OmniStack itself?

System recommended content:

1. HPE Ezmeral Container Platform: Log4j vulnerability impact of CVE-2021-44228 and CVE-2021-45046 on HPE Ezmeral Container Platform

 

If the above information is helpful, then please click on "Thumbs Up/Kudo" icon.

 

Thank you for being a HPE community member.


Accept or Kudo

0 Kudos
Reply
elange
Occasional Advisor

‎12-21-2021 01:10 AM

‎12-21-2021 01:10 AM

Re: Query: log4j vulnerability in OmniStack itself?

So are you saying that inside every omnistack there is an Ezmeral Container Plattform running?

How would one access the container running inside the OmniStack VM Ezmeral Container Plattform?

0 Kudos
Reply
Sjoerd2106
Advisor

‎12-23-2021 01:46 AM

‎12-23-2021 01:46 AM

Re: Query: log4j vulnerability in OmniStack itself?

I also think that there should be more transparency from HPE about the way SimpliVity is affected by the log4j bug is and what steps will be taken to mitigate the issue for SimpliVity.

0 Kudos
Reply
Parvez_Admin
Community Manager

‎01-04-2022 12:03 AM

‎01-04-2022 12:03 AM

Re: Query: log4j vulnerability in OmniStack itself?

Hello,

I would recommend to directly contact technical support and log a support call for more clarity on this. Please refer the links below for support ticket options:

https://support.hpe.com/help/en/Content/supportAndOtherResources.html

https://www.hpe.com/psnow/doc/A00039121ENW


Thanks,
Parvez_Admin
I work for HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
CM_Cert_Logo_Color.png
0 Kudos
Reply
Sjoerd2106
Advisor

‎01-04-2022 12:44 AM

‎01-04-2022 12:44 AM

Re: Query: log4j vulnerability in OmniStack itself?

HPE has a Security Bulletin with all affected software for log4j:

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us

SimpliVity is on that list. There is is also a specific SimpliVity support alert if you at the above page:

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120260en_us

So, it seems that SimpliVity is affected by the log4j bug, because vCenter is affected. That seems logical, because you need vCenter for managing SimpliVIty.

But how difficult can it be to add a few lines to the above article that the other SimpliVity software components (like the OVC's) are not affected by the log4j bug? It would prevent a lot of support tickets towards HPE.

Reply
MikeSeden
HPE Pro

‎01-04-2022 05:43 AM

‎01-04-2022 05:43 AM

Re: Query: log4j vulnerability in OmniStack itself?

After much effort by our supporting engineers it was decided that the VMware vCenter patch for the  log4j security problem is acceptable and compatable. SimpliVity is NOT affected, as SimpliVity does not use log4j . The VMware OS that is being used with the SimpliVity was what was affected. The SimpliVity configurations were put on the security bulletin for that reason.

Applying the VMware vCenter patch is the SimpliVity solution to ther Apache log4j(*) security issues.


While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the company
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.