HMC

 View Only
  • 1.  Log4j fix for HMC V9R1 M942?

    Posted Wed December 15, 2021 09:28 AM
    We've still got a 7042-OE1 HMC that does not appear to be upgradeable to V9R2, so we're stuck at V9R1 until early next year when we get replacement HMCs. Is there any change a log4j fix will be made available for V9R1?


    ------------------------------
    Robert Wood
    ------------------------------


  • 2.  RE: Log4j fix for HMC V9R1 M942?

    Posted Wed December 15, 2021 11:48 AM
    And if not, is there any workaround for this vulnerability? Something that can be done on the internal firewall of the HMC? Or shut down the web UI for now and just use ssh and the command line?

    ------------------------------
    Robert Wood
    ------------------------------



  • 3.  RE: Log4j fix for HMC V9R1 M942?

    Posted Thu December 16, 2021 05:07 AM
    Hi!

    Given that the problem lies within the loging mechanism of the java components, using ssh is save as it uses a different loging mechanism yes.  And if you can restrict access to the HMCs to trusted IPs, it would be save enough for me as a temporary solution.  The firewall should also log using a different mechanism, and before remotely generated strings are passed through to the web interface.

    Best regards,
      Alexander

    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 4.  RE: Log4j fix for HMC V9R1 M942?

    Posted Thu December 16, 2021 05:36 AM
    The affected versions as stated by IBM are V10 and V9R2 but whether this means V9R1 isn't affected, or just that as it's no longer supported they aren't checking it, I don't know.
    I'm stuck with some older CR8 models for the moment, so an EFIX for V9R1 would be nice (if required), or at the very least a confirmation if it is affected or not.
    At worst some commands to run via pesh access would do.

    ------------------------------
    Matt Dulson
    ------------------------------