Network Management

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Hi there,

I look forward to hearing back on this also.

------------------------------
Patrick Byrne
------------------------------

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Please reach out to Aruba TAC support for enquiries around security vulnerabilities.

If products are affected, a Security Advisory will be published on https://www.arubanetworks.com/support-services/security-bulletins

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Hello,

Thank you for your reply.
I received the usual sunday weekly Aruba releases notifications, and I have not seen any fix to this recent vulnerability (CVE-2021-44228), neither do I see it using the link you provided.
I really think that an answer here, with an "How-to" or a fix from Aruba would be useful for many people currently using IMC and facing the same critical security issue.

------------------------------
Jerome BAILLIART
------------------------------

Original Message:
Sent: Dec 13, 2021 11:07 AM
From: Herman Robers
Subject: IMC & Log4J Critical Vulnerability

Please reach out to Aruba TAC support for enquiries around security vulnerabilities.

If products are affected, a Security Advisory will be published on https://www.arubanetworks.com/support-services/security-bulletins

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Hi All,

In my comany we are using one of the latest version of iMC (E0705P12) and in the applicatins files, there is the folder "slf4j" containing the file slf4j-log4j12.jar.

After a quick search inside the jar file, i can see the version of library :1.8.0-beta2


After a quick look at this address: https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.8.0-beta2 ,  log4j version is 1.2.17 which is affected by CVE-2021-44228 


Could you please take a look on this and confirm if it's correct?  

Thanks in forward.


Benoit

------------------------------
Zins Benoit
------------------------------

Original Message:
Sent: Dec 13, 2021 11:33 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Thank you for your reply.
I received the usual sunday weekly Aruba releases notifications, and I have not seen any fix to this recent vulnerability (CVE-2021-44228), neither do I see it using the link you provided.
I really think that an answer here, with an "How-to" or a fix from Aruba would be useful for many people currently using IMC and facing the same critical security issue.

------------------------------
Jerome BAILLIART

Original Message:
Sent: Dec 13, 2021 11:07 AM
From: Herman Robers
Subject: IMC & Log4J Critical Vulnerability

Please reach out to Aruba TAC support for enquiries around security vulnerabilities.

If products are affected, a Security Advisory will be published on https://www.arubanetworks.com/support-services/security-bulletins

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

We are running version 7.2 of IMC and seeing the same.   I have logged a case with Support.

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Log4j 1.2 would be outside the indicated version affected by the vulnerability as it lists versions 2 <=2.14.1, right?

Is there an official "not affected" security bulletin for IMC? I know I got a big unaffected notice from the Aruba side but IMC is not mentioned.

------------------------------
Jay Burling
------------------------------

Original Message:
Sent: Dec 14, 2021 04:08 AM
From: jay mistry
Subject: IMC & Log4J Critical Vulnerability

We are running version 7.2 of IMC and seeing the same.   I have logged a case with Support.

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Here the HPE Security Bulletin (HPESBGN04215 rev.2 - Certain HPE Products using Apache Log4j2, Remote Code Execution) about some of the HPE products impacted by CVE-2021-44228, among them the HPE IMC.

Here instead the HPE Support Alert - Customer Notice (Apache Software Log4j - Security Vulnerability CVE-2021-44228) with the current list of HPE/Aruba products declared as not affected by CVE-2021-44228.

Reference here.

------------------------------
Davide Poletto
------------------------------

Original Message:
Sent: Dec 14, 2021 11:11 AM
From: Jay Burling
Subject: IMC & Log4J Critical Vulnerability

Log4j 1.2 would be outside the indicated version affected by the vulnerability as it lists versions 2 <=2.14.1, right?

Is there an official "not affected" security bulletin for IMC? I know I got a big unaffected notice from the Aruba side but IMC is not mentioned.

------------------------------
Jay Burling

Original Message:
Sent: Dec 14, 2021 04:08 AM
From: jay mistry
Subject: IMC & Log4J Critical Vulnerability

We are running version 7.2 of IMC and seeing the same.   I have logged a case with Support.

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Hello everyone,

iMC 7.3 E0706 and E0706P06 are the only affected versions by this vulnerability, previous versions use an older Log4j that is not affected. An advisory has been published that includes a workaround you can apply so you are no longer vulnerable, and a hotfix should be posted in the near future.

Please see https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120130en_us

------------------------------
Justin Guse
------------------------------

Original Message:
Sent: Dec 15, 2021 03:10 AM
From: Davide Poletto
Subject: IMC & Log4J Critical Vulnerability

Here the HPE Security Bulletin (HPESBGN04215 rev.2 - Certain HPE Products using Apache Log4j2, Remote Code Execution) about some of the HPE products impacted by CVE-2021-44228, among them the HPE IMC.

Here instead the HPE Support Alert - Customer Notice (Apache Software Log4j - Security Vulnerability CVE-2021-44228) with the current list of HPE/Aruba products declared as not affected by CVE-2021-44228.

Reference here.

------------------------------
Davide Poletto

Original Message:
Sent: Dec 14, 2021 11:11 AM
From: Jay Burling
Subject: IMC & Log4J Critical Vulnerability

Log4j 1.2 would be outside the indicated version affected by the vulnerability as it lists versions 2 <=2.14.1, right?

Is there an official "not affected" security bulletin for IMC? I know I got a big unaffected notice from the Aruba side but IMC is not mentioned.

------------------------------
Jay Burling

Original Message:
Sent: Dec 14, 2021 04:08 AM
From: jay mistry
Subject: IMC & Log4J Critical Vulnerability

We are running version 7.2 of IMC and seeing the same.   I have logged a case with Support.

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Hello Justin, what I read and what is stated on the PDF you linked is that all HPE IMC PLAT software versions <= E0706P06 are affected...not only the E0706 GA and its P06 Patch (IIRC the "<=" is equivalent to "older or equal than").

------------------------------
Davide Poletto
------------------------------

Original Message:
Sent: Dec 15, 2021 09:30 AM
From: Justin Guse
Subject: IMC & Log4J Critical Vulnerability

Hello everyone,

iMC 7.3 E0706 and E0706P06 are the only affected versions by this vulnerability, previous versions use an older Log4j that is not affected. An advisory has been published that includes a workaround you can apply so you are no longer vulnerable, and a hotfix should be posted in the near future.

Please see https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120130en_us

------------------------------
Justin Guse

Original Message:
Sent: Dec 15, 2021 03:10 AM
From: Davide Poletto
Subject: IMC & Log4J Critical Vulnerability

Here the HPE Security Bulletin (HPESBGN04215 rev.2 - Certain HPE Products using Apache Log4j2, Remote Code Execution) about some of the HPE products impacted by CVE-2021-44228, among them the HPE IMC.

Here instead the HPE Support Alert - Customer Notice (Apache Software Log4j - Security Vulnerability CVE-2021-44228) with the current list of HPE/Aruba products declared as not affected by CVE-2021-44228.

Reference here.

------------------------------
Davide Poletto

Original Message:
Sent: Dec 14, 2021 11:11 AM
From: Jay Burling
Subject: IMC & Log4J Critical Vulnerability

Log4j 1.2 would be outside the indicated version affected by the vulnerability as it lists versions 2 <=2.14.1, right?

Is there an official "not affected" security bulletin for IMC? I know I got a big unaffected notice from the Aruba side but IMC is not mentioned.

------------------------------
Jay Burling

Original Message:
Sent: Dec 14, 2021 04:08 AM
From: jay mistry
Subject: IMC & Log4J Critical Vulnerability

We are running version 7.2 of IMC and seeing the same.   I have logged a case with Support.

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Hello Davide,

That's some information I received after the doc was already published. However when in doubt, you can always consider the official doc to be correct. Even if you are on an older version that's potentially 'not affected', I think there's still plenty of reason to consider upgrading to the latest version. There are numerous other vulnerabilities fixed in the latest releases (as seen in release notes), and anyone concerned about the security of their IMC system would do well to keep it up to date.

------------------------------
Justin Guse
------------------------------

Original Message:
Sent: Dec 15, 2021 02:14 PM
From: Davide Poletto
Subject: IMC & Log4J Critical Vulnerability

Hello Justin, what I read and what is stated on the PDF you linked is that all HPE IMC PLAT software versions <= E0706P06 are affected...not only the E0706 GA and its P06 Patch (IIRC the "<=" is equivalent to "older or equal than").

------------------------------
Davide Poletto

Original Message:
Sent: Dec 15, 2021 09:30 AM
From: Justin Guse
Subject: IMC & Log4J Critical Vulnerability

Hello everyone,

iMC 7.3 E0706 and E0706P06 are the only affected versions by this vulnerability, previous versions use an older Log4j that is not affected. An advisory has been published that includes a workaround you can apply so you are no longer vulnerable, and a hotfix should be posted in the near future.

Please see https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120130en_us

------------------------------
Justin Guse

Original Message:
Sent: Dec 15, 2021 03:10 AM
From: Davide Poletto
Subject: IMC & Log4J Critical Vulnerability

Here the HPE Security Bulletin (HPESBGN04215 rev.2 - Certain HPE Products using Apache Log4j2, Remote Code Execution) about some of the HPE products impacted by CVE-2021-44228, among them the HPE IMC.

Here instead the HPE Support Alert - Customer Notice (Apache Software Log4j - Security Vulnerability CVE-2021-44228) with the current list of HPE/Aruba products declared as not affected by CVE-2021-44228.

Reference here.

------------------------------
Davide Poletto

Original Message:
Sent: Dec 14, 2021 11:11 AM
From: Jay Burling
Subject: IMC & Log4J Critical Vulnerability

Log4j 1.2 would be outside the indicated version affected by the vulnerability as it lists versions 2 <=2.14.1, right?

Is there an official "not affected" security bulletin for IMC? I know I got a big unaffected notice from the Aruba side but IMC is not mentioned.

------------------------------
Jay Burling

Original Message:
Sent: Dec 14, 2021 04:08 AM
From: jay mistry
Subject: IMC & Log4J Critical Vulnerability

We are running version 7.2 of IMC and seeing the same.   I have logged a case with Support.

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Apache also recommend that, while the Log4j 1.x series is not known to be affected by either CVE, users running versions from the first release line should still update to the latest release line, since the first has reached end of life and no longer receives security patches.
Original Message:
Sent: Dec 15, 2021 09:30 AM
From: Justin Guse
Subject: IMC & Log4J Critical Vulnerability

Hello everyone,

iMC 7.3 E0706 and E0706P06 are the only affected versions by this vulnerability, previous versions use an older Log4j that is not affected. An advisory has been published that includes a workaround you can apply so you are no longer vulnerable, and a hotfix should be posted in the near future.

Please see https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120130en_us

------------------------------
Justin Guse

Original Message:
Sent: Dec 15, 2021 03:10 AM
From: Davide Poletto
Subject: IMC & Log4J Critical Vulnerability

Here the HPE Security Bulletin (HPESBGN04215 rev.2 - Certain HPE Products using Apache Log4j2, Remote Code Execution) about some of the HPE products impacted by CVE-2021-44228, among them the HPE IMC.

Here instead the HPE Support Alert - Customer Notice (Apache Software Log4j - Security Vulnerability CVE-2021-44228) with the current list of HPE/Aruba products declared as not affected by CVE-2021-44228.

Reference here.

------------------------------
Davide Poletto

Original Message:
Sent: Dec 14, 2021 11:11 AM
From: Jay Burling
Subject: IMC & Log4J Critical Vulnerability

Log4j 1.2 would be outside the indicated version affected by the vulnerability as it lists versions 2 <=2.14.1, right?

Is there an official "not affected" security bulletin for IMC? I know I got a big unaffected notice from the Aruba side but IMC is not mentioned.

------------------------------
Jay Burling

Original Message:
Sent: Dec 14, 2021 04:08 AM
From: jay mistry
Subject: IMC & Log4J Critical Vulnerability

We are running version 7.2 of IMC and seeing the same.   I have logged a case with Support.

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Hotfix E0706H07 is available now:

Patch im MNP: https://h10145.www1.hpe.com/downloads/SoftwareReleases.aspx?ProductNumber=JG747AAE&lang=&cc=&prodSeriesId=

Patch im ASP: https://asp.arubanetworks.com/downloads/software/RmlsZTo3M2ExYzY5MC02YTNiLTExZWMtYjg3Yy1lMzk0NTQ5NDkwY2Y%3D

Needs to be upgraded from E0706P06

Best Regards,

Michael

------------------------------
Michael Breuer
------------------------------

Original Message:
Sent: Dec 15, 2021 02:17 PM
From: jay mistry
Subject: IMC & Log4J Critical Vulnerability

Apache also recommend that, while the Log4j 1.x series is not known to be affected by either CVE, users running versions from the first release line should still update to the latest release line, since the first has reached end of life and no longer receives security patches.
Original Message:
Sent: Dec 15, 2021 09:30 AM
From: Justin Guse
Subject: IMC & Log4J Critical Vulnerability

Hello everyone,

iMC 7.3 E0706 and E0706P06 are the only affected versions by this vulnerability, previous versions use an older Log4j that is not affected. An advisory has been published that includes a workaround you can apply so you are no longer vulnerable, and a hotfix should be posted in the near future.

Please see https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120130en_us

------------------------------
Justin Guse

Original Message:
Sent: Dec 15, 2021 03:10 AM
From: Davide Poletto
Subject: IMC & Log4J Critical Vulnerability

Here the HPE Security Bulletin (HPESBGN04215 rev.2 - Certain HPE Products using Apache Log4j2, Remote Code Execution) about some of the HPE products impacted by CVE-2021-44228, among them the HPE IMC.

Here instead the HPE Support Alert - Customer Notice (Apache Software Log4j - Security Vulnerability CVE-2021-44228) with the current list of HPE/Aruba products declared as not affected by CVE-2021-44228.

Reference here.

------------------------------
Davide Poletto

Original Message:
Sent: Dec 14, 2021 11:11 AM
From: Jay Burling
Subject: IMC & Log4J Critical Vulnerability

Log4j 1.2 would be outside the indicated version affected by the vulnerability as it lists versions 2 <=2.14.1, right?

Is there an official "not affected" security bulletin for IMC? I know I got a big unaffected notice from the Aruba side but IMC is not mentioned.

------------------------------
Jay Burling

Original Message:
Sent: Dec 14, 2021 04:08 AM
From: jay mistry
Subject: IMC & Log4J Critical Vulnerability

We are running version 7.2 of IMC and seeing the same.   I have logged a case with Support.

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Original Message:
Sent: 1/5/2022 5:31:00 AM
From: Michael_Breuer
Subject: RE: IMC & Log4J Critical Vulnerability

Hotfix E0706H07 is available now:

Patch im MNP: https://h10145.www1.hpe.com/downloads/SoftwareReleases.aspx?ProductNumber=JG747AAE&lang=&cc=&prodSeriesId=

Patch im ASP: https://asp.arubanetworks.com/downloads/software/RmlsZTo3M2ExYzY5MC02YTNiLTExZWMtYjg3Yy1lMzk0NTQ5NDkwY2Y%3D

Needs to be upgraded from E0706P06

Best Regards,

Michael

------------------------------
Michael Breuer
------------------------------

Original Message:
Sent: Dec 15, 2021 02:17 PM
From: jay mistry
Subject: IMC & Log4J Critical Vulnerability

Apache also recommend that, while the Log4j 1.x series is not known to be affected by either CVE, users running versions from the first release line should still update to the latest release line, since the first has reached end of life and no longer receives security patches.
Original Message:
Sent: Dec 15, 2021 09:30 AM
From: Justin Guse
Subject: IMC & Log4J Critical Vulnerability

Hello everyone,

iMC 7.3 E0706 and E0706P06 are the only affected versions by this vulnerability, previous versions use an older Log4j that is not affected. An advisory has been published that includes a workaround you can apply so you are no longer vulnerable, and a hotfix should be posted in the near future.

Please see https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120130en_us

------------------------------
Justin Guse

Original Message:
Sent: Dec 15, 2021 03:10 AM
From: Davide Poletto
Subject: IMC & Log4J Critical Vulnerability

Here the HPE Security Bulletin (HPESBGN04215 rev.2 - Certain HPE Products using Apache Log4j2, Remote Code Execution) about some of the HPE products impacted by CVE-2021-44228, among them the HPE IMC.

Here instead the HPE Support Alert - Customer Notice (Apache Software Log4j - Security Vulnerability CVE-2021-44228) with the current list of HPE/Aruba products declared as not affected by CVE-2021-44228.

Reference here.

------------------------------
Davide Poletto

Original Message:
Sent: Dec 14, 2021 11:11 AM
From: Jay Burling
Subject: IMC & Log4J Critical Vulnerability

Log4j 1.2 would be outside the indicated version affected by the vulnerability as it lists versions 2 <=2.14.1, right?

Is there an official "not affected" security bulletin for IMC? I know I got a big unaffected notice from the Aruba side but IMC is not mentioned.

------------------------------
Jay Burling

Original Message:
Sent: Dec 14, 2021 04:08 AM
From: jay mistry
Subject: IMC & Log4J Critical Vulnerability

We are running version 7.2 of IMC and seeing the same.   I have logged a case with Support.

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Yes, H07 contains the fix. Please note that you can only install the hotfix from E0706P06

Best Regards,

Michael

------------------------------
Michael Breuer
------------------------------

Original Message:
Sent: Jan 05, 2022 05:59 AM
From: Patrick Byrne
Subject: IMC & Log4J Critical Vulnerability

Hi Michael,

Just to be clear, I am using 7.3 E0706, so I have to upgrade to E0706H07 for a permanent fix the Log4J vulnerability?

Best regards

Original Message:
Sent: 1/5/2022 5:31:00 AM
From: Michael_Breuer
Subject: RE: IMC & Log4J Critical Vulnerability

Hotfix E0706H07 is available now:

Patch im MNP: https://h10145.www1.hpe.com/downloads/SoftwareReleases.aspx?ProductNumber=JG747AAE&lang=&cc=&prodSeriesId=

Patch im ASP: https://asp.arubanetworks.com/downloads/software/RmlsZTo3M2ExYzY5MC02YTNiLTExZWMtYjg3Yy1lMzk0NTQ5NDkwY2Y%3D

Needs to be upgraded from E0706P06

Best Regards,

Michael

------------------------------
Michael Breuer

Original Message:
Sent: Dec 15, 2021 02:17 PM
From: jay mistry
Subject: IMC & Log4J Critical Vulnerability

Apache also recommend that, while the Log4j 1.x series is not known to be affected by either CVE, users running versions from the first release line should still update to the latest release line, since the first has reached end of life and no longer receives security patches.
Original Message:
Sent: Dec 15, 2021 09:30 AM
From: Justin Guse
Subject: IMC & Log4J Critical Vulnerability

Hello everyone,

iMC 7.3 E0706 and E0706P06 are the only affected versions by this vulnerability, previous versions use an older Log4j that is not affected. An advisory has been published that includes a workaround you can apply so you are no longer vulnerable, and a hotfix should be posted in the near future.

Please see https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120130en_us

------------------------------
Justin Guse

Original Message:
Sent: Dec 15, 2021 03:10 AM
From: Davide Poletto
Subject: IMC & Log4J Critical Vulnerability

Here the HPE Security Bulletin (HPESBGN04215 rev.2 - Certain HPE Products using Apache Log4j2, Remote Code Execution) about some of the HPE products impacted by CVE-2021-44228, among them the HPE IMC.

Here instead the HPE Support Alert - Customer Notice (Apache Software Log4j - Security Vulnerability CVE-2021-44228) with the current list of HPE/Aruba products declared as not affected by CVE-2021-44228.

Reference here.

------------------------------
Davide Poletto

Original Message:
Sent: Dec 14, 2021 11:11 AM
From: Jay Burling
Subject: IMC & Log4J Critical Vulnerability

Log4j 1.2 would be outside the indicated version affected by the vulnerability as it lists versions 2 <=2.14.1, right?

Is there an official "not affected" security bulletin for IMC? I know I got a big unaffected notice from the Aruba side but IMC is not mentioned.

------------------------------
Jay Burling

Original Message:
Sent: Dec 14, 2021 04:08 AM
From: jay mistry
Subject: IMC & Log4J Critical Vulnerability

We are running version 7.2 of IMC and seeing the same.   I have logged a case with Support.

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Original Message:
Sent: 1/5/2022 6:35:00 AM
From: Michael_Breuer
Subject: RE: IMC & Log4J Critical Vulnerability

Yes, H07 contains the fix. Please note that you can only install the hotfix from E0706P06

Best Regards,

Michael

------------------------------
Michael Breuer
------------------------------

Original Message:
Sent: Jan 05, 2022 05:59 AM
From: Patrick Byrne
Subject: IMC & Log4J Critical Vulnerability

Hi Michael,

Just to be clear, I am using 7.3 E0706, so I have to upgrade to E0706H07 for a permanent fix the Log4J vulnerability?

Best regards

Original Message:
Sent: 1/5/2022 5:31:00 AM
From: Michael_Breuer
Subject: RE: IMC & Log4J Critical Vulnerability

Hotfix E0706H07 is available now:

Patch im MNP: https://h10145.www1.hpe.com/downloads/SoftwareReleases.aspx?ProductNumber=JG747AAE&lang=&cc=&prodSeriesId=

Patch im ASP: https://asp.arubanetworks.com/downloads/software/RmlsZTo3M2ExYzY5MC02YTNiLTExZWMtYjg3Yy1lMzk0NTQ5NDkwY2Y%3D

Needs to be upgraded from E0706P06

Best Regards,

Michael

------------------------------
Michael Breuer

Original Message:
Sent: Dec 15, 2021 02:17 PM
From: jay mistry
Subject: IMC & Log4J Critical Vulnerability

Apache also recommend that, while the Log4j 1.x series is not known to be affected by either CVE, users running versions from the first release line should still update to the latest release line, since the first has reached end of life and no longer receives security patches.
Original Message:
Sent: Dec 15, 2021 09:30 AM
From: Justin Guse
Subject: IMC & Log4J Critical Vulnerability

Hello everyone,

iMC 7.3 E0706 and E0706P06 are the only affected versions by this vulnerability, previous versions use an older Log4j that is not affected. An advisory has been published that includes a workaround you can apply so you are no longer vulnerable, and a hotfix should be posted in the near future.

Please see https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120130en_us

------------------------------
Justin Guse

Original Message:
Sent: Dec 15, 2021 03:10 AM
From: Davide Poletto
Subject: IMC & Log4J Critical Vulnerability

Here the HPE Security Bulletin (HPESBGN04215 rev.2 - Certain HPE Products using Apache Log4j2, Remote Code Execution) about some of the HPE products impacted by CVE-2021-44228, among them the HPE IMC.

Here instead the HPE Support Alert - Customer Notice (Apache Software Log4j - Security Vulnerability CVE-2021-44228) with the current list of HPE/Aruba products declared as not affected by CVE-2021-44228.

Reference here.

------------------------------
Davide Poletto

Original Message:
Sent: Dec 14, 2021 11:11 AM
From: Jay Burling
Subject: IMC & Log4J Critical Vulnerability

Log4j 1.2 would be outside the indicated version affected by the vulnerability as it lists versions 2 <=2.14.1, right?

Is there an official "not affected" security bulletin for IMC? I know I got a big unaffected notice from the Aruba side but IMC is not mentioned.

------------------------------
Jay Burling

Original Message:
Sent: Dec 14, 2021 04:08 AM
From: jay mistry
Subject: IMC & Log4J Critical Vulnerability

We are running version 7.2 of IMC and seeing the same.   I have logged a case with Support.

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

I have upgraded our IMC server from E0706 to E0706P06 and then to E0706H07. However, our internal scans are still showing that the IMC server is still vulnerable to the log4j vulnerability because of this file on the server:

C:\Program Files\iMC\client\web\apps\rpt\WEB-INF\lib\log4j-1.2.17.jar

The modification date and time of the above file was when I upgraded to E0706P06. It does not appear that it was touched during the E0706H07 patch. I am curious if this file is still being used, or if it can be deleted. Does this file still exist on your system after the patches were applied?

------------------------------
Jeff Fulkerson
------------------------------

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Mine has the date of todays update (but I done both at the same time)

MD5: FB87BD84E336CA3DC6B6C108F51BF25E
SHA-1: 4F90475694C41965C9A0C8BAC53EA5C690DEA446
SHA-256: A2234476879B9E76F99A561F3D9DA243684EDB54B0B44EF7C0CF7A1A3D1E6776

Inside the dates of everything is 2012-05-06

------------------------------
spgsitsupport
------------------------------

Original Message:
Sent: Jan 21, 2022 10:19 AM
From: Jeff Fulkerson
Subject: IMC & Log4J Critical Vulnerability

I have upgraded our IMC server from E0706 to E0706P06 and then to E0706H07. However, our internal scans are still showing that the IMC server is still vulnerable to the log4j vulnerability because of this file on the server:

C:\Program Files\iMC\client\web\apps\rpt\WEB-INF\lib\log4j-1.2.17.jar

The modification date and time of the above file was when I upgraded to E0706P06. It does not appear that it was touched during the E0706H07 patch. I am curious if this file is still being used, or if it can be deleted. Does this file still exist on your system after the patches were applied?

------------------------------
Jeff Fulkerson

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------

Hi,
are there any news on this topic?
We run the version 7.3(E0705P12). When i do a Vulnerability scan on that system, it looks clean for the problem with the Log4j.
Now, i did a update on a testsystem to the newest version 7.3(E0706H07). Now, the Vulnerability scanner is complaining that there is the unsupported version 1.2.17 found of the Apache Log4j.
The Path to the file:  C:\Program Files\iMC\client\web\apps\rpt\WEB-INF\lib\log4j-1.2.17.jar
The version 1.2.17 reached its end of life prior to 2016 and i have a Risk Factor from CVSS v3.0 Base Score from 10.0 on that System.
So the Audit fails on that system.
Are there any plans to implement a supported Version that is not Vulnerability??
Many thanks

Markus

------------------------------
Markus Huether
------------------------------

Original Message:
Sent: Jan 25, 2022 06:13 AM
From: sebastian cerazy
Subject: IMC & Log4J Critical Vulnerability

Mine has the date of todays update (but I done both at the same time)

MD5: FB87BD84E336CA3DC6B6C108F51BF25E
SHA-1: 4F90475694C41965C9A0C8BAC53EA5C690DEA446
SHA-256: A2234476879B9E76F99A561F3D9DA243684EDB54B0B44EF7C0CF7A1A3D1E6776

Inside the dates of everything is 2012-05-06

------------------------------
spgsitsupport

Original Message:
Sent: Jan 21, 2022 10:19 AM
From: Jeff Fulkerson
Subject: IMC & Log4J Critical Vulnerability

I have upgraded our IMC server from E0706 to E0706P06 and then to E0706H07. However, our internal scans are still showing that the IMC server is still vulnerable to the log4j vulnerability because of this file on the server:

C:\Program Files\iMC\client\web\apps\rpt\WEB-INF\lib\log4j-1.2.17.jar

The modification date and time of the above file was when I upgraded to E0706P06. It does not appear that it was touched during the E0706H07 patch. I am curious if this file is still being used, or if it can be deleted. Does this file still exist on your system after the patches were applied?

------------------------------
Jeff Fulkerson

Original Message:
Sent: Dec 13, 2021 08:12 AM
From: Jerome BAILLIART
Subject: IMC & Log4J Critical Vulnerability

Hello,

Is there a hotfix planned to be released ASAP, regarding this new critical vulnerability (10 out of 10 CVSS) ?

https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

Attached file is a screenshot of log4j directories used by iMC.

Many thanks in advance !

Jerome.

------------------------------
Jerome BAILLIART
------------------------------