HPE Storage Users Group

A Storage Administrator Community




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Next major release of 3par SP ?
PostPosted: Wed Jun 01, 2022 3:19 am 

Joined: Tue Apr 19, 2022 4:59 am
Posts: 9
Location: Europe
Our 3par SP's are currently running under the (latest?) 5.0.9.2 revision. However the underlying version of Debian 9.6 has been unsupported since 6.7.20. HPE previously told us that "a fix is in the works and slated for mid-year, in a new major release” (which, we're presuming, would involve include an upgrade to Debian Linux 10.x)

Is anyone aware of when the next release will be, as now being chased by our security team regarding when we'll have a fix for the increasing number of high vulnerabilities associated with our 3par SP's ?


Top
 Profile  
Reply with quote  
 Post subject: Re: Next major release of 3par SP ?
PostPosted: Wed Jun 01, 2022 7:25 am 

Joined: Mon Sep 21, 2015 2:11 pm
Posts: 1398
Location: Europe
paoloc1 wrote:
Our 3par SP's are currently running under the (latest?) 5.0.9.2 revision. However the underlying version of Debian 9.6 has been unsupported since 6.7.20. HPE previously told us that "a fix is in the works and slated for mid-year, in a new major release” (which, we're presuming, would involve include an upgrade to Debian Linux 10.x)

Is anyone aware of when the next release will be, as now being chased by our security team regarding when we'll have a fix for the increasing number of high vulnerabilities associated with our 3par SP's ?



I might be looking at this from another point of view.

Why do you care about when Debian 9.6 stopped being maintained? The Service Processor (like SSMC) is an appliance. You are not maintaining the underlying operating system. From every point of view, SP 5.0.9.2 is supported. You're not running Debian 9.6, you are running an appliance based (loosely or not) on Debian 9.6 but with a number of modifications.

What at least I would care about is vulnerabilities that is exploitable on the Service Processor. What vulnerabilties are your security team worried about? Last time I ran a scanner on one of my SPs it didn't find any vulnerabilities. It threw a warning about one CVE but when I tried to use the exploit it didn't work, most likely because the exploitable service was disabled or locked down so it couldn't be used.

_________________
The views and opinions expressed are my own and do not necessarily reflect those of my current or previous employers.


Top
 Profile  
Reply with quote  
 Post subject: Re: Next major release of 3par SP ?
PostPosted: Wed Jun 01, 2022 8:18 am 

Joined: Tue Apr 19, 2022 4:59 am
Posts: 9
Location: Europe
You make a good and valid point. I think i was focusing too much on the number of Nessus vulnerabilities (x35 medium, x15 high & x1 critical) exposed by our monthly scan, whilst
forgetting that this is an appliance with an underlying O/S which we don't maintain.


Top
 Profile  
Reply with quote  
 Post subject: Re: Next major release of 3par SP ?
PostPosted: Wed Jun 01, 2022 8:46 am 

Joined: Tue Apr 19, 2022 4:59 am
Posts: 9
Location: Europe
Having said that i recently upgraded our SSMC appliance from 3.8.0 to 3.8.2 for the purpose of fixing an underlying log4j vulnerability so doubtful that being an appliance would provide sufficient justification for our security team to ignore them :(


Top
 Profile  
Reply with quote  
 Post subject: Re: Next major release of 3par SP ?
PostPosted: Wed Jun 01, 2022 9:35 am 

Joined: Tue Apr 19, 2022 4:59 am
Posts: 9
Location: Europe
The attached file shows a summary of all the High and Critical Nessus vulnerabilities associated with our SP's


Attachments:
ScreenHunter 4217.png
ScreenHunter 4217.png [ 80.77 KiB | Viewed 835 times ]
Top
 Profile  
Reply with quote  
 Post subject: Re: Next major release of 3par SP ?
PostPosted: Thu Jun 02, 2022 2:05 am 

Joined: Mon Sep 21, 2015 2:11 pm
Posts: 1398
Location: Europe
paoloc1 wrote:
The attached file shows a summary of all the High and Critical Nessus vulnerabilities associated with our SP's


Well. What you have a list of potential vulnerabilities based on the installed versions of different components.

I would recommend to log a case with HPE providing that list. They should be able to review all of those and give you a feedback on those and see which are actually exploitable and what measures you might be able to take to prevent them if exploitable.

_________________
The views and opinions expressed are my own and do not necessarily reflect those of my current or previous employers.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 


Who is online

Users browsing this forum: Google [Bot] and 16 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group | DVGFX2 by: Matt