Skip to main content
Supermicro’s response to Apache Log4j vulnerability

Supermicro is aware of the recently disclosed (December 09, 2021) security issue related to the open-source Apache Java logging library “Log4j 2" also coined as “Log4Shell” (CVE-2021-44228) and joins the industry to mitigate the exposure with high priority. In addition to the CVE-2021-44228 issue, Supermicro is also addressing CVE-2021-45046 and CVE-2021-45105 security vulnerabilities.

Most Supermicro applications are not impacted by these three vulnerabilities. The only impacted application is Supermicro Power Manager (SPM). To remediate the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 issues, the recommended action is to update Log4j 2 in the affected product (SPM) to version 2.17.0.

Log4j 2.17.0 removes support for message lookup patterns and disables JNDI functionality by default. Log4j 2.17.0 also fixes stack overflow in Context Lookups in the configuration file’s layout patterns and thus prevents a denial-of-service attacks.

Supermicro will also release an update to SPM version 1.11.1. For SPM (remote management software), a validation test is being performed with high priority in order to release the update ASAP. The current workaround is for IT Admin to perform IP whitelisting to control and limit access to SPM.

Two additional CVEs CVE-2021-4104 and CVE-2019-17571 that describe vulnerability in Log4j 1.2 do not affect any of the Supermicro products. In particular, Supermicro Server Manager (SSM), Supermicro SuperDoctor (SD5), SMCIPMITool, and vCenter Plug-in that use Log4j 1.2 are not affected.

The Supermicro security team has analyzed Supermicro firmware and software products to understand whether any of them are affected by the Apache Log4j 1.2 and the Apache “Log4j 2” security vulnerabilities. Below is the table that summarizes the results.

Supermicro will continue monitoring the situation. In case any other products are found to be impacted, this bulletin will be updated. If you need additional details or assistance, please contact Supermicro Technical Support.

ProductAffected by Apache “Log4j 1.2”Affected by Apache “Log4j 2”Mitigation actions to be taken
BMC (all firmware branches)NoNo 
Chassis Management Module (CMM)NoNo 
SuperCloud Composer (SCC)NoNo 
Supermicro Server Manager (SSM)NoNo 
Supermicro SuperDoctor (SD5)NoNo 
Supermicro Power Manager (SPM)NoYes
Upgrade to Log4j 2.17.0.
SPM Release pending ASAP
SCC AnalyticsNoNo 
SCC Pod Manager (PodM)NoNo 
vCenter Plug-inNoNo 
SCOM Plug-inNoNo 
Nagios Plug-inNoNo 
Super Diagnostics OfflineNoNO 
Supermicro Update Manager (SUM)NoNo 
Supermicro Thin-Agent Service (TAS)NoNo