Any word on this yet?

NetApp has posted Security Advisories for the latest OpenSSL vulnerabilities at the following URLs.  Updates are being posted as new information is available.

OpenSSL TLS Handshake Vulnerability in Select NetApp Products (cve-2014-0224)

https://library.netapp.com/ecm/ecm_get_file/ECMP1636026

cve-2014-0224

OpenSSL Elliptic Curve Vulnerabilities in Multiple NetApp Products (cve-2014-3470,cve-2014-0076)

https://library.netapp.com/ecm/ecm_get_file/ECMP1636027

DTLS vulnerabilities in OpenSSL in Multiple NetApp Products (cve-2014-0221,cve-2014-0195)

https://library.netapp.com/ecm/ecm_get_file/ECMP1636028

OpenSSL SSL_MODE_RELEASE_BUFFERS Vulnerabilities in NetApp Products (cve-2014-0198,cve-2010-5298)

https://library.netapp.com/ecm/ecm_get_file/ECMP1636029

Is there any entry page for all security advisories? How we are supposed to find those links? They are not entirely obvious ...

Hi ajosh,,

We have a vulnerable product in our setup i.e OCUM 5.1 and the fix is 5.1P1 as per the above document.

However when I download this package from the website it is a 700 MB file which seems like a entire CORE package.

Isnt it supposed to be just a security patch i.e a small piece of file.

Can I go ahead and install this on top of the existing CORE installed package?

Hope the underlying DB wont wont be affected !!

Balaji

Hi Balaji,

This is the entire CORE package. Note that we had to rebuild the CORE package for OpenSSL vulnerability. Please go ahead and install 5.1P1 on top of existing CORE package.

It will upgrade to 5.1P1. For more details refer to upgrade section in page 78 https://library.netapp.com/ecm/ecm_get_file/ECMP1222478.

Regards,

Arun Joseph

Thanks Arun for your reply.

However why dont we upgrade to 5.2R1 and "skip" 5.1P1.We have to rollout the upgrade on an entire infra consisting of 20 DFM servers running 5.1 now.

It would be double work of the patch application and then 5.2R1.I am assuming the Hearbleed bug must be addressed in 5.2R1 as well.

Any thoughts or associated risks you see is we move directly to 5.2R1?

Balaji

Hi Balaji,

We definitely recommend you to upgrade directly to 5.2R1. This release too addresses the vulnerability in the OpenSSL library when using heartbeat extensions (a.k.a heartbleed bug).

Regards,

Arun Joseph

Thanks a lot Arun.

One last question - will the upgrade to 5.2R1 cause some major changes in the DFM DB schema or will it be just a simple straighforward step like 5.1p1?

Balaji

Hi Balaji,

There are no major changes to the DFM DB schema. The upgrade procedure is same as  upgrade to 5.1P1. There are quite a few enhancements available in 5.2R1 as specified in the release notes. Please note that 5.2R1 does not support 32 bit installer (which is different than 5.1P1). 5.2R1 requires that you have a 64 bit server. This is the only change that you should consider when deciding between 5.2R1 or 5.1P1.

Let me know if you need more clarifications.

5.2R1 release notes is available at https://library.netapp.com/ecm/ecm_get_file/ECMP1517131

Regards,

Arun Joseph