Our security team has flagged the VSP as running a vulnerable version of the Apache Commons Collections Library and a vulnerable version of java. We are running SVP microcode 70-06-26/00 and I was wondering if there was a fix for this? Thanks.
Are you referring to this vulnerability: Vulnerability Note VU#576313 - Apache Commons Collections Java library insecurely deserializes data?
It is addressed in microcode version 70-06-39: https://support.hds.com/en_us/user/tech-tips/e/2016march/T2016032201.html.
Thanks. That looks like the issue. Command Suite reports 2 different microcode version (70-06-26/00 (SVP) and 70-06-40-00/00 (DKC)) so I assume the one I want is the DKC version since we recently updated. For some reason I don't have access to the tech-tips document.
Hmm your SVP might be running the latest microcode already. Each microcode release contains two subsets: SVP and DKC. SVP contain updates for the management mode, i.e. the 1U Windows server running Storage Navigator and other configuration pieces. DKC contains firmware for the controllers and disk chassis.
The microcode version that I mentioned, 70-06-39, is release M249. It contains SVP version 70-06-26 and DKC version 70-06-39. Your SVP is running the same version and your DKC is running a newer code. So I believe your array is running the latest microcode, which is version M256.
Perhaps the Apache fix in M249 (and subsequently, M256) is not related to your situation? In any case, I'd ask HDS Support to take a closer look.
Retrieving data ...