2017-10-18 02:01 AM
If I am reading this correctly there is still no published fixed for the Cluster ONTAP. The dates are getting pretty close and our companiesclus security
compliance team are expecting this patched by end of Nov 2017
Have I missed an advisory update ? or is that document correct and there is still no update available.
Solved! SEE THE SOLUTION
2017-10-18 06:36 AM - edited 2017-10-19 08:09 AM
According to burt 992754, which covers the March 2016 OpenSSL Vulnerabilities in Clustered Data ONTAP these CVEs were first fixed in ONTAP 9.0 (these are not fixed in cDOT 8.3.2). However, as you state the KB article does not reflect this info.
Since there are other OpenSSH CVEs applicable to ONTAP, do your Security Team have any specific CVE number(s) they need fixed?
FYI burt 1008362, which covers the May 2016 OpenSSH Vulnerabilities: OpenSSH vulnerability in Clustered Data ONTAP are first fixed in ONTAP 9.1 (https://kb.netapp.com/support/s/article/may-2016-openssh-vulnerabilities-in-multiple-netapp-products?language=en_US).
2017-10-18 07:20 AM
The advisory ID number is below, I suspect this is a internal number only:
Advisory ID: MSS-OAR-E01-2017:0111.3
Description: NetApp: March 2016 OpenSSL Vulnerabilities in Multiple NetApp Products
It is mapped to a NETAPP advisory and CVE below:
NetApp Advisory Number NTAP-20160303-0001 CVE CVE-2016-0703, CVE-2016-0704, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-0702, CVE-2016-0705
If the NETAPP advisory will be updates soon, then I am more then happy and I can response / patch as needed once I know at what ONTAP level I need to be at.