Network Management

 View Only
last person joined: 2 days ago 

Keep an informative eye on your network with IMC and AirWave network management solutions.
Expand all | Collapse all

IMC & Log4J Critical Vulnerability

This thread has been viewed 144 times
  • 1.  IMC & Log4J Critical Vulnerability

    Posted Dec 13, 2021 08:13 AM
      |   view attached
    Hello,

    Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

    https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

    Attached file is a screenshot of log4j directories used by iMC.

    Many thanks in advance !

    Jerome.

    ------------------------------
    Jerome BAILLIART
    ------------------------------


  • 2.  RE: IMC & Log4J Critical Vulnerability

    Posted Dec 13, 2021 10:53 AM
    Hi there,

    I look forward to hearing back on this also.

    ------------------------------
    Patrick Byrne
    ------------------------------



  • 3.  RE: IMC & Log4J Critical Vulnerability

    EMPLOYEE
    Posted Dec 13, 2021 11:08 AM
    Please reach out to Aruba TAC support for enquiries around security vulnerabilities.

    If products are affected, a Security Advisory will be published on https://www.arubanetworks.com/support-services/security-bulletins

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: IMC & Log4J Critical Vulnerability

    Posted Dec 13, 2021 11:34 AM
    Hello,

    Thank you for your reply.
    I received the usual sunday weekly Aruba releases notifications, and I have not seen any fix to this recent vulnerability (CVE-2021-44228), neither do I see it using the link you provided.
    I really think that an answer here, with an "How-to" or a fix from Aruba would be useful for many people currently using IMC and facing the same critical security issue.

    ------------------------------
    Jerome BAILLIART
    ------------------------------



  • 5.  RE: IMC & Log4J Critical Vulnerability

    Posted Dec 13, 2021 02:28 PM
    Hi All,

    In my comany we are using one of the latest version of iMC (E0705P12) and in the applicatins files, there is the folder "slf4j" containing the file slf4j-log4j12.jar.

    After a quick search inside the jar file, i can see the version of library :1.8.0-beta2


    After a quick look at this address: https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.8.0-beta2 ,  log4j version is 1.2.17 which is affected by CVE-2021-44228 


    Could you please take a look on this and confirm if it's correct?  

    Thanks in forward.


    Benoit

    ------------------------------
    Zins Benoit
    ------------------------------



  • 6.  RE: IMC & Log4J Critical Vulnerability

    Posted Dec 14, 2021 04:08 AM
    We are running version 7.2 of IMC and seeing the same.   I have logged a case with Support.



  • 7.  RE: IMC & Log4J Critical Vulnerability

    Posted Dec 14, 2021 11:11 AM
    Log4j 1.2 would be outside the indicated version affected by the vulnerability as it lists versions 2 <=2.14.1, right?

    Is there an official "not affected" security bulletin for IMC? I know I got a big unaffected notice from the Aruba side but IMC is not mentioned.


    ------------------------------
    Jay Burling
    ------------------------------



  • 8.  RE: IMC & Log4J Critical Vulnerability

    MVP GURU
    Posted Dec 15, 2021 03:10 AM
    Here the HPE Security Bulletin (HPESBGN04215 rev.2 - Certain HPE Products using Apache Log4j2, Remote Code Execution) about some of the HPE products impacted by CVE-2021-44228, among them the HPE IMC.

    Here instead the HPE Support Alert - Customer Notice (Apache Software Log4j - Security Vulnerability CVE-2021-44228) with the current list of HPE/Aruba products declared as not affected by CVE-2021-44228.

    Reference here.

    ------------------------------
    Davide Poletto
    ------------------------------



  • 9.  RE: IMC & Log4J Critical Vulnerability

    EMPLOYEE
    Posted Dec 15, 2021 09:30 AM
    Hello everyone,

    iMC 7.3 E0706 and E0706P06 are the only affected versions by this vulnerability, previous versions use an older Log4j that is not affected. An advisory has been published that includes a workaround you can apply so you are no longer vulnerable, and a hotfix should be posted in the near future.

    Please see https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120130en_us

    ------------------------------
    Justin Guse
    ------------------------------



  • 10.  RE: IMC & Log4J Critical Vulnerability

    MVP GURU
    Posted Dec 15, 2021 02:14 PM
    Hello Justin, what I read and what is stated on the PDF you linked is that all HPE IMC PLAT software versions <= E0706P06 are affected...not only the E0706 GA and its P06 Patch (IIRC the "<=" is equivalent to "older or equal than").

    ------------------------------
    Davide Poletto
    ------------------------------



  • 11.  RE: IMC & Log4J Critical Vulnerability

    EMPLOYEE
    Posted Dec 16, 2021 05:27 AM

    Hello Davide,

    That's some information I received after the doc was already published. However when in doubt, you can always consider the official doc to be correct. Even if you are on an older version that's potentially 'not affected', I think there's still plenty of reason to consider upgrading to the latest version. There are numerous other vulnerabilities fixed in the latest releases (as seen in release notes), and anyone concerned about the security of their IMC system would do well to keep it up to date.



    ------------------------------
    Justin Guse
    ------------------------------



  • 12.  RE: IMC & Log4J Critical Vulnerability

    Posted Dec 15, 2021 02:17 PM
    Apache also recommend that, while the Log4j 1.x series is not known to be affected by either CVE, users running versions from the first release line should still update to the latest release line, since the first has reached end of life and no longer receives security patches.


  • 13.  RE: IMC & Log4J Critical Vulnerability

    Posted Jan 05, 2022 05:31 AM
    Hotfix E0706H07 is available now:

    Patch im MNP: https://h10145.www1.hpe.com/downloads/SoftwareReleases.aspx?ProductNumber=JG747AAE&lang=&cc=&prodSeriesId=

    Patch im ASP: https://asp.arubanetworks.com/downloads/software/RmlsZTo3M2ExYzY5MC02YTNiLTExZWMtYjg3Yy1lMzk0NTQ5NDkwY2Y%3D

    Needs to be upgraded from E0706P06

    Best Regards,

    Michael

    ------------------------------
    Michael Breuer
    ------------------------------



  • 14.  RE: IMC & Log4J Critical Vulnerability

    Posted Jan 05, 2022 05:59 AM
    Hi Michael,

    Just to be clear, I am using 7.3 E0706, so I have to upgrade to E0706H07 for a permanent fix the Log4J vulnerability?

    Best regards





  • 15.  RE: IMC & Log4J Critical Vulnerability

    Posted Jan 05, 2022 06:35 AM

    Yes, H07 contains the fix. Please note that you can only install the hotfix from E0706P06

    Best Regards,

    Michael



    ------------------------------
    Michael Breuer
    ------------------------------



  • 16.  RE: IMC & Log4J Critical Vulnerability

    Posted Jan 05, 2022 02:33 PM
    Many thanks Michael,

    It means I have to go up 2 patches then. By any chance do you think I should wait as I have read.that in these versions there seems to be bugs regarding Loopback alerts (Duplicate IP address)? I read it should be fixed in the next patch.

    Kind regards





  • 17.  RE: IMC & Log4J Critical Vulnerability

    Posted Jan 21, 2022 12:37 PM
    I have upgraded our IMC server from E0706 to E0706P06 and then to E0706H07. However, our internal scans are still showing that the IMC server is still vulnerable to the log4j vulnerability because of this file on the server:

    C:\Program Files\iMC\client\web\apps\rpt\WEB-INF\lib\log4j-1.2.17.jar

    The modification date and time of the above file was when I upgraded to E0706P06. It does not appear that it was touched during the E0706H07 patch. I am curious if this file is still being used, or if it can be deleted. Does this file still exist on your system after the patches were applied?

    ------------------------------
    Jeff Fulkerson
    ------------------------------



  • 18.  RE: IMC & Log4J Critical Vulnerability

    Posted Jan 25, 2022 06:13 AM
    Mine has the date of todays update (but I done both at the same time)

    MD5: FB87BD84E336CA3DC6B6C108F51BF25E
    SHA-1: 4F90475694C41965C9A0C8BAC53EA5C690DEA446
    SHA-256: A2234476879B9E76F99A561F3D9DA243684EDB54B0B44EF7C0CF7A1A3D1E6776

    Inside the dates of everything is 2012-05-06

    ------------------------------
    spgsitsupport
    ------------------------------



  • 19.  RE: IMC & Log4J Critical Vulnerability

    Posted Feb 07, 2022 02:15 PM
      |   view attached
    Hi,
    are there any news on this topic?
    We run the version 7.3(E0705P12). When i do a Vulnerability scan on that system, it looks clean for the problem with the Log4j.
    Now, i did a update on a testsystem to the newest version 7.3(E0706H07). Now, the Vulnerability scanner is complaining that there is the unsupported version 1.2.17 found of the Apache Log4j.
    The Path to the file:  C:\Program Files\iMC\client\web\apps\rpt\WEB-INF\lib\log4j-1.2.17.jar
    The version 1.2.17 reached its end of life prior to 2016 and i have a Risk Factor from CVSS v3.0 Base Score from 10.0 on that System.
    So the Audit fails on that system.
    Are there any plans to implement a supported Version that is not Vulnerability??
    Many thanks

    Markus

    ------------------------------
    Markus Huether
    ------------------------------