Supermicro is aware of the recently disclosed (December 09, 2021) security issue related to the open-source Apache Java logging library “Log4j 2" also coined as “Log4Shell” (CVE-2021-44228) and joins the industry to mitigate the exposure with high priority. In addition to the CVE-2021-44228 issue, Supermicro is also addressing CVE-2021-45046 and CVE-2021-45105 security vulnerabilities.
Most Supermicro applications are not impacted by these three vulnerabilities. The only impacted application is Supermicro Power Manager (SPM). To remediate the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 issues, the recommended action is to update Log4j 2 in the affected product (SPM) to version 2.17.0.
Log4j 2.17.0 removes support for message lookup patterns and disables JNDI functionality by default. Log4j 2.17.0 also fixes stack overflow in Context Lookups in the configuration file’s layout patterns and thus prevents a denial-of-service attacks.
Supermicro will also release an update to SPM version 1.11.1. For SPM (remote management software), a validation test is being performed with high priority in order to release the update ASAP. The current workaround is for IT Admin to perform IP whitelisting to control and limit access to SPM.
Two additional CVEs CVE-2021-4104 and CVE-2019-17571 that describe vulnerability in Log4j 1.2 do not affect any of the Supermicro products. In particular, Supermicro Server Manager (SSM), Supermicro SuperDoctor (SD5), SMCIPMITool, and vCenter Plug-in that use Log4j 1.2 are not affected.
The Supermicro security team has analyzed Supermicro firmware and software products to understand whether any of them are affected by the Apache Log4j 1.2 and the Apache “Log4j 2” security vulnerabilities. Below is the table that summarizes the results.
Supermicro will continue monitoring the situation. In case any other products are found to be impacted, this bulletin will be updated. If you need additional details or assistance, please contact Supermicro Technical Support.
| Product | Affected by Apache “Log4j 1.2” | Affected by Apache “Log4j 2” | Mitigation actions to be taken |
|---|---|---|---|
| BIOS | No | No | |
| BMC (all firmware branches) | No | No | |
| Chassis Management Module (CMM) | No | No | |
| SuperCloud Composer (SCC) | No | No | |
| Supermicro Server Manager (SSM) | No | No | |
| Supermicro SuperDoctor (SD5) | No | No | |
| Supermicro Power Manager (SPM) | No | Yes | Upgrade to Log4j 2.17.0. SPM Release pending ASAP |
| SMCIPMITool | No | No | |
| IPMICFG | No | No | |
| IPMIView | No | No | |
| SCC Analytics | No | No | |
| SCC Pod Manager (PodM) | No | No | |
| vCenter Plug-in | No | No | |
| SCOM Plug-in | No | No | |
| Nagios Plug-in | No | No | |
| Super Diagnostics Offline | No | NO | |
| Supermicro Update Manager (SUM) | No | No | |
| SUM Service (SUM_SERVER) | No | No | |
| Supermicro Thin-Agent Service (TAS) | No | No |