HPE Storage Users Group

Our 3par SP's are currently running under the (latest?) 5.0.9.2 revision. However the underlying version of Debian 9.6 has been unsupported since 6.7.20. HPE previously told us that "a fix is in the works and slated for mid-year, in a new major release” (which, we're presuming, would involve include an upgrade to Debian Linux 10.x)

Is anyone aware of when the next release will be, as now being chased by our security team regarding when we'll have a fix for the increasing number of high vulnerabilities associated with our 3par SP's ?

paoloc1 wrote:Our 3par SP's are currently running under the (latest?) 5.0.9.2 revision. However the underlying version of Debian 9.6 has been unsupported since 6.7.20. HPE previously told us that "a fix is in the works and slated for mid-year, in a new major release” (which, we're presuming, would involve include an upgrade to Debian Linux 10.x)

Is anyone aware of when the next release will be, as now being chased by our security team regarding when we'll have a fix for the increasing number of high vulnerabilities associated with our 3par SP's ?

I might be looking at this from another point of view.

Why do you care about when Debian 9.6 stopped being maintained? The Service Processor (like SSMC) is an appliance. You are not maintaining the underlying operating system. From every point of view, SP 5.0.9.2 is supported. You're not running Debian 9.6, you are running an appliance based (loosely or not) on Debian 9.6 but with a number of modifications.

What at least I would care about is vulnerabilities that is exploitable on the Service Processor. What vulnerabilties are your security team worried about? Last time I ran a scanner on one of my SPs it didn't find any vulnerabilities. It threw a warning about one CVE but when I tried to use the exploit it didn't work, most likely because the exploitable service was disabled or locked down so it couldn't be used.

You make a good and valid point. I think i was focusing too much on the number of Nessus vulnerabilities (x35 medium, x15 high & x1 critical) exposed by our monthly scan, whilst
forgetting that this is an appliance with an underlying O/S which we don't maintain.

Having said that i recently upgraded our SSMC appliance from 3.8.0 to 3.8.2 for the purpose of fixing an underlying log4j vulnerability so doubtful that being an appliance would provide sufficient justification for our security team to ignore them

The attached file shows a summary of all the High and Critical Nessus vulnerabilities associated with our SP's

paoloc1 wrote:The attached file shows a summary of all the High and Critical Nessus vulnerabilities associated with our SP's

Well. What you have a list of potential vulnerabilities based on the installed versions of different components.

I would recommend to log a case with HPE providing that list. They should be able to review all of those and give you a feedback on those and see which are actually exploitable and what measures you might be able to take to prevent them if exploitable.