Hewlett Packard Enterprise Product Security Vulnerability Alerts

Apache Software Log4j (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, CVE-2021-44832)

Version 6.0 :  Last Updated: January 7, 2022

This website is updated frequently, as new product information becomes available.

On December 9, 2021, HPE was made aware of a security event impacting Apache Software Log4j v2.x associated with CVE-2021-44228.

HPE immediately mobilized to understand and remediate any exposures that HPE might have to this vulnerability. To the extent HPE determines any remediation of its products is required as a result of this vulnerability, HPE will advise customers of such remediation.

A Remote Code Execution vulnerability CVE-2021-45046 was found in the original fix for CVE-2021-44228. Apache released Log4j v2.16.0 to mitigate the issue.

In addition, the vulnerability CVE-2021-4104, also allows remote code execution attacks like CVE-2021-44228 and CVE-2021-45046 in certain non-default configurations.

Another vulnerability has been identified CVE-2021-45105, allows a Denial-of-Service (DoS) attack in certain non-default configurations. Apache Log4j 2.17.0 is the latest fixed version.

Another vulnerability has been identified CVE-2021-44832, which allows remote code execution attacks. Apache Log4j 2.17.1 is the latest fixed version.

The investigation of HPE products utilizing Log4j is ongoing. Refer to the Customer Notice below for a list of products HPE analyzed so far and found not vulnerable to CVE-2021-44228, CVE-45046, CVE-2021-4104, CVE-2021-45105, or CVE-2021-44832 and the Security Bulletin below for a list of vulnerable products. Security Bulletins for affected products will be issued and posted on HPE Support Center, when the fixes become available in the near future. HPE products not listed in the following Customer Notice or Security Bulletin are undergoing investigation.

HPE continues to investigate this issue and product impact assessment will be updated as more information becomes available.

Resources

• PRODUCTS NOT VULNERABLE to CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, and CVE-2021-44832: For more information about HPE products NOT vulnerable to CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, and CVE-2021-44832, refer to the following Customer Notice:
  (Revision) Apache Software Log4j - Security Vulnerability CVE-2021-44228
• PRODUCTS VULNERABLE to CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, or CVE-2021-44832: For more information about HPE products vulnerable to CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, or CVE-2021-44832, refer to the following Security Bulletin:
  HPESBGN04215 rev.1 - Certain HPE Products using Apache Log4j2, Remote Code Execution
• CVE-2021-44228
• CVE-2021-45046
• CVE-2021-4104
• CVE-2021-45105
• CVE-2021-44832
• Aruba Advisory
• Zerto Advisory
• HPE Support Center
• HPE Vulnerability Homepage

Disclaimer: One or more of the links above will take you outside the HPE website. HPE is not responsible for content outside of its domain.