Operational Defect Database
BugZero found this defect 856 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Hewlett Packard Enterprise | hpesbgn04215en_us
HPESBGN04215 rev.12 - Certain HPE Products using Apache Log4j, Remote Arbitrary Code Execution, Remote Code Execution, and Remote Denial of Service
Last update date:
2/28/2024
Affected products:
Cray ClusterStor Data Services
Cray View for ClusterStor
HPE 5G Core Stack (5GCS)
HPE Authentication Server Function (AUSF)
HPE Cray System Management
HPE DRAGON
HPE Edge Infrastructure Automation
HPE Ezmeral Data Fabric Software
HPE Integrated Home Subscriber Server Software Series
HPE Intelligent Assurance
HPE Intelligent Management Center Enterprise Software Platform
HPE Media Workflow Manager (MWM)
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Info
Document ID: hpesbgn04215en_us Version: 12 HPESBGN04215 rev.12 - Certain HPE Products using Apache Log4j, Remote Arbitrary Code Execution, Remote Code Execution, and Remote Denial of Service NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2021-12-14 Last Updated: 2022-01-15 Potential Security Impact: Remote: Arbitrary Code Execution, Code Execution, Denial of Service (DoS) Source: Hewlett Packard Enterprise, HPE Product Security Response Team VULNERABILITY SUMMARY CVE-2021-44228 Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. CVE-2021-45046 A Remote Code Execution vulnerability was found in the original fix for CVE-2021-44228. CVE-2021-4104 JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. CVE-2021-45105 Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. CVE-2021-44832 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. Please see the following link for more information: https://logging.apache.org/log4j/2.x/ The impacted products listed below are vulnerable to one or more CVEs listed above. References: CVE-2021-44228 - Remote Arbitrary Code Execution CVE-2021-45046 - Remote Code Execution CVE-2021-4104 - Remote Code Execution CVE-2021-45105 - Remote Denial of Service CVE-2021-44832 - Remote Code Execution SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HPE XP Performance Advisor Software - 7.5 through 8.4 HPE SimpliVity 380 Gen10 VMware environment HPE SimpliVity 380 Gen9 VMware environment HPE SimpliVity 325 Gen10 VMware environment HPE SimpliVity 325 Gen10 Plus VMware environment HPE SimpliVity 2600 Gen10 VMware environment SimpliVity OmniCube VMware environment HPE 3PAR Service Processor - Prior to 5.0.9.2 HPE SANnav Management Software - 2.0.0/2.1.1 HPE Intelligent Management Center (iMC) - HPE IMC Standard and Enterprise 7.3 (E0706) and 7.3 (E0706P06) HPE Ezmeral Container Platform Bluedata EPIC 3.x and 4.x, and HPE Ezmeral Container Platform version 5.x HPE Ezmeral Data Fabric Ezmeral Data Fabric Core / Client - v6.2.0; MCS - v6.0.1, v6.1.0, v6.1.1 & v6.2.0; Installer – v1.17.0.0 and older HPE Real Time Management System (RTMS) - RTMS 3.0.x, RTMS 3.1.x HPE Device Entitlement Gateway (DEG) - 5 HPE Unified Data Management (UDM) - UDM: 1.2009.0, 1.2101.0, 1.2103.0, 1.2105.0, 1.2107.0, 1.2109.0, 1.2109.1 HPE StoreServ Management Console (SSMC) - Prior to 3.8.2.1 HPE Hyper Converged 380 VMware environment HPE Media Workflow Master (MWM) All versions HPE Universal IoT (UioT) Platform - 1.6 or later HPE Dragon - 7.2 and 7.3 HPE Telecom Analytics Smart Profile Server (TASPS) All versions HPE Telecom Management Information Platform Software Series - only TeMIP Rest Server 8.3.2; TMB 3.4.0 HPE Authentication Server Function (AUSF) - AUSF: 1.2009.0, 1.2101.0, 1.2103.0, 1.2105.0, 1.2107.0, 1.2109.0 HPE User Data Repository (UDR) - UDR: 1.2106.0, 1.2110.0, 1.2112.0 HPE Unstructured Data Storage Function (UDSF) - UDSF: 1.2108.0, 1.2110.0, 1.2112.0 HPE Dynamic SIM Provisioning (DSP) - DSP3.3, DSP3.1, DSP3.4 HPE Remote SIM Provisioning Manager (RSPM) - RSPM1.3.2 & RSPM1.4.1 HPE Service Director (SD) - 3.7.1 and only for the closed loop snmp-adapter HPE Trueview Inventory Software Series - 8.6.x, 8.7.x HPE Edge Infrastructure Automation - 2.0.x HPE Revenue Intelligence Software Series All versions HPE Network Function Virtualization Director (NFV Director) - 5.1.x, 6.0.x. HPE Intelligent Assurance - only Analytics on Metrics HPE Data Management Framework 7 - v7.x Cray View for ClusterStor - v1.3.1 HPE Ezmeral Ecosystem Pack (EEP) Elastic Search - v6.8.8 and older versions; Data Access Gateway (DAG) - v2.x and older; Hive - v2.3.x and older; HBase - v1.4.13 and older; Kafka HDFS Connector - v10.0.0 and older; Drill - v1.16.1 and older HPE Integrated Home Subscriber Server Software Series - I-HSS 4.0.x only when using nHSS 4G/5G IWK function HPE Virtual Headend Manager (vHM) All versions HPE Cray EX System Monitoring Application (SMA) All versions Silver Peak Orchestrator - All customer managed Orchestrator and legacy GMS products are affected by this vulnerability HPE Hyper Converged 250 System VMware environment HPE Performance Cluster Manager - Versions 1.4.1 to 1.6 HPE Parallel File System Storage All versions Cray ClusterStor Data Services - V2.0 HPE 5G Core Stack (5GCS) - 2.2107.0 HPE XP7 Intelligent Storage Manager - v10.0.0-00 to 10.8.0-00 HPE XP7 Automation Director Software - v10.0.0-01 to 10.8.0-00 HP XP Command View Advanced Edition Software - HostDataCollector Component - 8.7.3 to 8.8.1 HPE XP Plugin - vCST (vCenter Storage Plugin) All versions HPE XP Plugin - Redhat Ansible, Terraform, OLVM All versions HPE Data Center Fabric Manager (DCNM) - C-Series DCNM 11.3.1, 11.4.1, 11.5.1 Atlas Data Orchestrator - N/A - VM access is required to exploit CVE-2021-44228 HPE Enhanced Interactive Unified Mediation (eIUM) - 9.0 (CIS and Cache with Infinispan components only), 10.6.3 HPE ConvergedSystem 700 (CS700) - HPE 3PAR StoreServ SSMC 3.8, HPE 3PAR Service Processor 5.x, HPE StoreServ Management Console (SSMC) All versions HPE ConvergedSystem 700 for Virtualization Components and Blocks - HPE 3PAR StoreServ SSMC 3.8, HPE 3PAR Service Processor 5.x, HPE StoreServ Management Console (SSMC) All versions HPE ConvergedSystem 700x (CS700x) - HPE 3PAR StoreServ SSMC 3.8, HPE 3PAR Service Processor 5.x, HPE StoreServ Management Console (SSMC) All versions HPE ConvergedSystem 700x for Cloud - HPE 3PAR StoreServ SSMC 3.8, HPE 3PAR Service Processor 5.x, HPE StoreServ Management Console (SSMC) All versions HPE ConvergedSystem 750 for Virtualization - HPE 3PAR StoreServ SSMC 3.8, HPE 3PAR Service Processor 5.x, HPE StoreServ Management Console (SSMC) All versions HPE ConvergedSystem 750 for Virtualization Components and Blocks - HPE 3PAR StoreServ SSMC 3.8, HPE 3PAR Service Processor 5.x, HPE StoreServ Management Console (SSMC) All versions HPE Cray System Management - 0.9.6 and 1.0.0 HPE InfoSight for StoreOnce - N/A HPE InfoSight for Alletra 9000, Primera, 3PAR - N/A HPE InfoSight Portal Core Platform - N/A HPE InfoSight for SimpliVity - N/A BACKGROUND HPE calculates CVSS using CVSS Version 3.1. If the score is provided from NIST, we will display Version 2.0, 3.0, or 3.1 as provided from NVD. Reference V3 Vector V3 Base Score V2 Vector V2 Base Score CVE-2021-4104 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) 8.1 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2021-44228 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 10 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3 CVE-2021-44832 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) 6.6 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6 CVE-2021-45046 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 9.0 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6 CVE-2021-45105 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002 RESOLUTION HPE is currently evaluating all of its products relative to the Apache Log4j vulnerabilities. HPE will issue fixes and security bulletins that describe those fixes as they become available. The list of impacted products will be updated as more information becomes available, and links to mitigations for individual products will be listed here: Security Notices (mitigations, workarounds) HPE Network Function Virtualization Director (NFV Director) HPE Ezmeral Data Fabric HPE Ezmeral Container Platform log4j vulnerability impact HPE HPE Ezmeral Container Platform - Mitigation steps for CVE-2021-44228, CVE-2021-45046 and CVE-2021-4101 in epic-mapr containers on Ezmeral Container Platform 5.x HPE Ezmeral Container Platform - Mitigation steps for CVE-2021-44228 and CVE-2021-45046 in epic-monitoring containers on supported versions of Ezmeral Container Platform and EPIC HPE Intelligent Management Center (IMC) HPE Virtualized Telecommunication Management Information Platform (VTEMIP) HPE Revenue Intelligence (RI) HPE Cray Products HPE B-Series SANnav Management Software HPE XP Performance Advisor (PA) HPE Telecom Analytics Smart Profile Server Data Analytics Layer (TASPS DAL) HPE Dragon - Security Advisory for Apache Log4j Vulnerability (CVE-2021-44228) HPE Real Time Management System (RTMS) - Security Advisory for Apache Log4j Vulnerability (CVE-2021-44228) HPE 5G Core Network Functions HPE Universal Internet of Things (UIoT) HPE Data Center Network Manager HPE Simplivity HPE Legacy HyperConverged Gen9 Systems with VMware vSphere 6.5.x and 6.7.x Security Bulletins (Fixes, updates) HPE Service Director (SD) HPE 3PAR/Primera StoreServ Management Console (SSMC) HPE Dynamic SIM Provisioning (DSP) HPE Remote SIM Provisioning Manager (RSPM) HPE 3PAR Service Processors HPE Real Time Management System (RTMS) HPE Trueview Inventory Software Series HPE enhanced Interactive Unified Mediation (eIUM) HPE Edge Infrastructure Automation the following services have been patched and no action is required by the customers. InfoSight for Alletra 9000, Primera, 3PAR InfoSight for StoreOnce InfoSight Portal Core Platform Atlas Data Orchestrator Please see the HPE Vulnerability Alerts page and use HPE Support Center to search for product-specific documents. HISTORY Version:1 (rev.1) - 14 December 2021 Initial release Version:2 (rev.2) - 15 December 2021 Adding impacted products Version:3 (rev.3) - 16 December 2021 Corrected product names Version:4 (rev.4) - 17 December 2021 Updated Version:5 (rev.5) - 17 December 2021 Adding new CVE numbers, products, versions, and text Version:6 (rev.6) - 21 December 2021 Adding CVE-2021-45105, products, version and text. Version:7 (rev.7) - 21 December 2021 Adding and updating products and versions. Adding Security Bulletin links. Version:8 (rev.8) - 23 December 2021 Updating versions. Adding Customer Notice and Security Bulletin links Version:9 (rev.9) - 6 January 2022 Update SSMC version, and product informations. Version:10 (rev.10) - 8 January 2022 Added HPE Infosight storage services information and security notice. Version:11 (rev.11) - 13 January 2022 Updated Ezmeral Ecosystem Pack and added InfoSight Portal Core Platform Version:12 (rev.12) - 14 January 2022 Adding InfoSight for SimpliVity and Atlas Data Orchestrator Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web Form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Hewlett Packard Enterprise Product Security Response Policy: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive System management and security procedures must be reviewed frequently to maintain system integrity. HPE is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HPE is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HPE products the important security information contained in this Bulletin. HPE recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HPE does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HPE will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HPE disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." ©Copyright 2024 Hewlett Packard Enterprise Development LP Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
Scope
None
Resolution
HPE is currently evaluating all of its products relative to the Apache Log4j vulnerabilities. HPE will issue fixes and security bulletins that describe those fixes as they become available. The list of impacted products will be updated as more information becomes available, and links to mitigations for individual products will be listed here: Security Notices (mitigations, workarounds) HPE Network Function Virtualization Director (NFV Director) HPE Ezmeral Data Fabric HPE Ezmeral Container Platform log4j vulnerability impact HPE HPE Ezmeral Container Platform - Mitigation steps for CVE-2021-44228, CVE-2021-45046 and CVE-2021-4101 in epic-mapr containers on Ezmeral Container Platform 5.x HPE Ezmeral Container Platform - Mitigation steps for CVE-2021-44228 and CVE-2021-45046 in epic-monitoring containers on supported versions of Ezmeral Container Platform and EPIC HPE Intelligent Management Center (IMC) HPE Virtualized Telecommunication Management Information Platform (VTEMIP) HPE Revenue Intelligence (RI) HPE Cray Products HPE B-Series SANnav Management Software HPE XP Performance Advisor (PA) HPE Telecom Analytics Smart Profile Server Data Analytics Layer (TASPS DAL) HPE Dragon - Security Advisory for Apache Log4j Vulnerability (CVE-2021-44228) HPE Real Time Management System (RTMS) - Security Advisory for Apache Log4j Vulnerability (CVE-2021-44228) HPE 5G Core Network Functions HPE Universal Internet of Things (UIoT) HPE Data Center Network Manager HPE Simplivity HPE Legacy HyperConverged Gen9 Systems with VMware vSphere 6.5.x and 6.7.x Security Bulletins (Fixes, updates) HPE Service Director (SD) HPE 3PAR/Primera StoreServ Management Console (SSMC) HPE Dynamic SIM Provisioning (DSP) HPE Remote SIM Provisioning Manager (RSPM) HPE 3PAR Service Processors HPE Real Time Management System (RTMS) HPE Trueview Inventory Software Series HPE enhanced Interactive Unified Mediation (eIUM) HPE Edge Infrastructure Automation the following services have been patched and no action is required by the customers. InfoSight for Alletra 9000, Primera, 3PAR InfoSight for StoreOnce InfoSight Portal Core Platform Atlas Data Orchestrator Please see the HPE Vulnerability Alerts page and use HPE Support Center to search for product-specific documents. HISTORY Version:1 (rev.1) - 14 December 2021 Initial release Version:2 (rev.2) - 15 December 2021 Adding impacted products Version:3 (rev.3) - 16 December 2021 Corrected product names Version:4 (rev.4) - 17 December 2021 Updated Version:5 (rev.5) - 17 December 2021 Adding new CVE numbers, products, versions, and text Version:6 (rev.6) - 21 December 2021 Adding CVE-2021-45105, products, version and text. Version:7 (rev.7) - 21 December 2021 Adding and updating products and versions. Adding Security Bulletin links. Version:8 (rev.8) - 23 December 2021 Updating versions. Adding Customer Notice and Security Bulletin links Version:9 (rev.9) - 6 January 2022 Update SSMC version, and product informations. Version:10 (rev.10) - 8 January 2022 Added HPE Infosight storage services information and security notice. Version:11 (rev.11) - 13 January 2022 Updated Ezmeral Ecosystem Pack and added InfoSight Portal Core Platform Version:12 (rev.12) - 14 January 2022 Adding InfoSight for SimpliVity and Atlas Data Orchestrator Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web Form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Hewlett Packard Enterprise Product Security Response Policy: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive
