HPE Community
HPE SimpliVity
1820395 Members
3284 Online
109623 Solutions
New Discussion

vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

 
koal
Occasional Contributor

‎12-11-2021 12:05 PM - last edited on ‎12-14-2021 10:49 AM by

‎12-11-2021 12:05 PM - last edited on ‎12-14-2021 10:49 AM by

vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

VMWare just released it's reccomended workaround for the Log4j vulnerability for vCenter.  I'm a relative newbie to Simplivity.  What is HPE's stance usually on these type of workarounds?  Is it reccomended to wait for an approved patch?  Is there usually an HPE evaluation and approval on workarounds such as this?

 

https://kb.vmware.com/s/article/87081?lang=en_US#vCenter7.0

3 people had this problem.
Reply
26 REPLIES 26
jfrobs
Frequent Advisor

‎12-12-2021 03:54 AM

‎12-12-2021 03:54 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

It would be nice if HP would validate and quickly the possibility to patch the simplivity vcsa.

Even if most of them should not be exposed on the internet.
Reply
gustenar
HPE Pro

‎12-13-2021 06:22 AM

‎12-13-2021 06:22 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

Hello @koal @jfrobs 

The impact of this security vulnerability to HPE Simplivity product line  has yet to be determined. Please follow this Customer Advisory link for more details: 

Apache Software Log4j - Security Vulnerability CVE-2021-44228

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120086en_us

Thanks



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Johannes_we
Frequent Advisor

‎12-13-2021 10:04 AM

‎12-13-2021 10:04 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

TBH, this Customer Advisory is worth nothing.

Can only advise HPE to look at how VMware is communicating:
VMSA-2021-0028.1 (vmware.com)

This is so much better then HPE, even after 4 days there is not even a list of products that might be affected or are not. 

Another example:

CVE-2021-44228 Apache Log4j Vulnerability in NetApp Products | NetApp Product Security

 

0 Kudos
Reply
SanjeevGoyal
HPE Pro

‎12-13-2021 06:23 PM

‎12-13-2021 06:23 PM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

Hello,

I would suggest you follow the below customer advisory for more clarification.

Notice: (Revision) Apache Software Log4j - Security Vulnerability CVE-2021-44228
https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120086en_us

If you feel this was helpful please click the KUDOS! thumb below and accept the solution.
Regards,


I am a HPE Employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
Johannes_we
Frequent Advisor

‎12-14-2021 12:42 AM

‎12-14-2021 12:42 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

Hey seems there is finally some content that was not there previously.

 

0 Kudos
Reply
Oliver Pergler
Senior Member

‎12-14-2021 12:55 AM

‎12-14-2021 12:55 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

We did not find log4j library on OVCs with release 4.0.1 and 4.1.0. There is also no apache service, as OVCs have no web interface. I assume SimpliVity to be not affected. However, confirmation from HPE is still pending.

We only find log4j-over-slf4j on OVCs, a migration tool from log4j to slf4j.

0 Kudos
Reply
gustenar
HPE Pro

‎12-14-2021 04:19 AM

‎12-14-2021 04:19 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

New updates are getting posted to the customer advisory as available. Simplivity is impacted and the workaround has yet to be qualified. 



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
klassey
Regular Visitor

‎12-14-2021 07:14 AM

‎12-14-2021 07:14 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

I would wait for an official patch or instructions from HPE, when reading the VM Workaround this caught my attention:

"Impact / Risks
VCHA needs to be removed before executing the steps in this KB article."

-best

0 Kudos
Reply
Brian_Galante
Frequent Advisor

‎12-14-2021 07:26 AM

‎12-14-2021 07:26 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

Thats referring to VCenter HA, as in two vcenters in HA which is set at the VSphere level, not HA for the VM's themselves set at the cluster level, I dont think you can even remove that, lol.

 

 

0 Kudos
Reply
Håkan Persson_1
Frequent Advisor

‎12-15-2021 04:45 AM

‎12-15-2021 04:45 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

Document - HPESBGN04215 rev.2 - Certain HPE Products using Apache Log4j2, Remote Code Execution | HPE Support

0 Kudos
Reply
Brian_Galante
Frequent Advisor

‎12-15-2021 06:07 AM

‎12-15-2021 06:07 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

I opened a support case (HPE Support Case 5360796459) with HPE and they recommended the VMWare published workaround. So I take that as the official word.

Please review the below advisory. 

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us

Workaround to fix the issue.
https://kb.vmware.com/s/article/87081?lang=en_US

log4j_workaound.JPG

0 Kudos
Reply
gustenar
HPE Pro

‎12-15-2021 06:23 AM - edited ‎12-15-2021 06:24 AM

‎12-15-2021 06:23 AM - edited ‎12-15-2021 06:24 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

Hello @Brian_Galante 

While there is a workaround from VMware to remediate the issue, it hasn't been qualified for Simplivity systems. Please visit the customer advisory for updates, once a workaround or resolution is available it will be communicated accordingly. 



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Ryan_Hardy
Frequent Advisor

‎12-16-2021 03:08 AM - edited ‎12-16-2021 03:11 AM

‎12-16-2021 03:08 AM - edited ‎12-16-2021 03:11 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

@gustenar wrote:

While there is a workaround from VMware to remediate the issue, it hasn't been qualified for Simplivity systems. Please visit the customer advisory for updates, once a workaround or resolution is available it will be communicated accordingly. 

THIS. Exactly this is why SimpliVity is so bad. You guys take months to release software updates only to notice that once you release software (or take it back because you decide it is only valdi for a new product) it is unsuitable already. Clearly with this attitude you should not play the HCI game where you highly depend on software (hypervisor) from another party.

Of all the vendors we have in our company, none is sooo slow with giving information about affected products - not even mentioning any workarounds.

HPE seems to live in a bubble where time runs a little slower and hackers stay away because they pitty us for using HPE products.

Reply
TroyPayne
Occasional Advisor

‎12-16-2021 11:59 AM

‎12-16-2021 11:59 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

This HPE security bulletin says SimpliVity and OmniCube are affected, but makes no mention of the vCenter which the OVC's are depenent upon....

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us

The CyberSec and IT Mgmt at my company are pressuring me to apply the vmware fix, but I've been burned in the past by not waiting for HPE with regards to vCenter for SimpliVity updates.

So I wait.

0 Kudos
Reply
Ryan_Hardy
Frequent Advisor

‎12-17-2021 12:42 AM

‎12-17-2021 12:42 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

FYI: I have applied the vCenter modifications as soon as VMware recommended them and have not had any issues with my SimpliVity systems since. YMMV.

0 Kudos
Reply
Oliver Pergler
Senior Member

‎12-17-2021 12:43 AM

‎12-17-2021 12:43 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

I have applied vCenter Python Log4j Workaround script on ~ 12 Simplivity clusters with no issue so far.

0 Kudos
Reply
l_lang
Advisor

‎12-18-2021 08:46 AM

‎12-18-2021 08:46 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

I can also confirm that the VMware Workaround had no impact on Simplivity. I would go ahead and mitigate the vulnerability ASAP.

Reply
Erik Wattnem
Occasional Advisor

‎12-20-2021 11:15 AM

‎12-20-2021 11:15 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

I may have missed it but I still don't see that the VMWare workaround, vcenter in my case, has been qualified for Simplivity systems yet.  Anyone have any updates?

0 Kudos
Reply
l_lang
Advisor

‎12-20-2021 11:24 PM

‎12-20-2021 11:24 PM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

Well you can wait a couple of weeks that they come out with an official statement that the workaround is qualified for Simplivity. If you are unlucky, your system gets encryptet in the meantime. Apply the existing workarounds now!

0 Kudos
Reply
Erik Wattnem
Occasional Advisor

‎12-23-2021 11:09 AM

‎12-23-2021 11:09 AM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

This is pretty disappointing.  2 weeks since the workaround for log4j on VMWare vCenter and no word that we can officially apply it to environments with Simplivity.  

@HPE - Is it safe to apply?  When is it expected to be approved?

0 Kudos
Reply
adidasnmotion
Advisor

‎12-23-2021 01:06 PM - edited ‎12-23-2021 02:38 PM

‎12-23-2021 01:06 PM - edited ‎12-23-2021 02:38 PM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

If it helps any, I contacted VMware support about this. I asked them if they were aware of this fix causing any issues with vcenter plugins such as Simplivity. They told me that it should not. Granted they won’t know as much as HPE when it comes to the Simplivity plugin, I assumed they should hopefully be aware enough to know how it interacts with vcenter plugins. I went ahead and ran the fix and in my particular case it does not appear to have caused any issues.
0 Kudos
Reply
gustenar
HPE Pro

‎12-23-2021 01:39 PM

‎12-23-2021 01:39 PM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

New customer advisory came out: 

https://support.hpe.com/hpesc/public/docDisplay?docId=a00120260en_us

Applying the workaround does not impact Simplivity. 



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Erik Wattnem
Occasional Advisor

‎12-23-2021 02:09 PM

‎12-23-2021 02:09 PM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

This is fantastic. Thank you!

0 Kudos
Reply
Erik Wattnem
Occasional Advisor

‎12-23-2021 02:14 PM

‎12-23-2021 02:14 PM

Re: vCenter workaround for CVE-2021-44228 (Apache Log4j vulnerability)

Thank Alex for the info!

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.