Next major release of 3par SP ?

Post Reply
paoloc1
Posts: 10
Joined: Tue Apr 19, 2022 4:59 am
Location: Europe

Next major release of 3par SP ?

Post by paoloc1 »

Our 3par SP's are currently running under the (latest?) 5.0.9.2 revision. However the underlying version of Debian 9.6 has been unsupported since 6.7.20. HPE previously told us that "a fix is in the works and slated for mid-year, in a new major release” (which, we're presuming, would involve include an upgrade to Debian Linux 10.x)

Is anyone aware of when the next release will be, as now being chased by our security team regarding when we'll have a fix for the increasing number of high vulnerabilities associated with our 3par SP's ?
MammaGutt
Posts: 1578
Joined: Mon Sep 21, 2015 2:11 pm
Location: Europe

Re: Next major release of 3par SP ?

Post by MammaGutt »

paoloc1 wrote:Our 3par SP's are currently running under the (latest?) 5.0.9.2 revision. However the underlying version of Debian 9.6 has been unsupported since 6.7.20. HPE previously told us that "a fix is in the works and slated for mid-year, in a new major release” (which, we're presuming, would involve include an upgrade to Debian Linux 10.x)

Is anyone aware of when the next release will be, as now being chased by our security team regarding when we'll have a fix for the increasing number of high vulnerabilities associated with our 3par SP's ?



I might be looking at this from another point of view.

Why do you care about when Debian 9.6 stopped being maintained? The Service Processor (like SSMC) is an appliance. You are not maintaining the underlying operating system. From every point of view, SP 5.0.9.2 is supported. You're not running Debian 9.6, you are running an appliance based (loosely or not) on Debian 9.6 but with a number of modifications.

What at least I would care about is vulnerabilities that is exploitable on the Service Processor. What vulnerabilties are your security team worried about? Last time I ran a scanner on one of my SPs it didn't find any vulnerabilities. It threw a warning about one CVE but when I tried to use the exploit it didn't work, most likely because the exploitable service was disabled or locked down so it couldn't be used.
The views and opinions expressed are my own and do not necessarily reflect those of my current or previous employers.
paoloc1
Posts: 10
Joined: Tue Apr 19, 2022 4:59 am
Location: Europe

Re: Next major release of 3par SP ?

Post by paoloc1 »

You make a good and valid point. I think i was focusing too much on the number of Nessus vulnerabilities (x35 medium, x15 high & x1 critical) exposed by our monthly scan, whilst
forgetting that this is an appliance with an underlying O/S which we don't maintain.
paoloc1
Posts: 10
Joined: Tue Apr 19, 2022 4:59 am
Location: Europe

Re: Next major release of 3par SP ?

Post by paoloc1 »

Having said that i recently upgraded our SSMC appliance from 3.8.0 to 3.8.2 for the purpose of fixing an underlying log4j vulnerability so doubtful that being an appliance would provide sufficient justification for our security team to ignore them :(
paoloc1
Posts: 10
Joined: Tue Apr 19, 2022 4:59 am
Location: Europe

Re: Next major release of 3par SP ?

Post by paoloc1 »

The attached file shows a summary of all the High and Critical Nessus vulnerabilities associated with our SP's
Attachments
ScreenHunter 4217.png
ScreenHunter 4217.png (80.77 KiB) Viewed 15106 times
MammaGutt
Posts: 1578
Joined: Mon Sep 21, 2015 2:11 pm
Location: Europe

Re: Next major release of 3par SP ?

Post by MammaGutt »

paoloc1 wrote:The attached file shows a summary of all the High and Critical Nessus vulnerabilities associated with our SP's


Well. What you have a list of potential vulnerabilities based on the installed versions of different components.

I would recommend to log a case with HPE providing that list. They should be able to review all of those and give you a feedback on those and see which are actually exploitable and what measures you might be able to take to prevent them if exploitable.
The views and opinions expressed are my own and do not necessarily reflect those of my current or previous employers.
Post Reply