2014-04-09 11:47 AM
There was a major vulnerability disclosed in OpenSSL yesterday which is being referred to as heartbleed. While the specifics are still being investigated, it places all userid/passwords at risk when using OpenSSL. I know that some Netapp products use it and am trying to find out which are vulnerable and what the plans are for addressing it.
2014-04-09 05:33 PM
NetApp takes the security of our products very seriously and is committed to resolving vulnerabilities to meet the needs of our customers and the broader technology community.
If there is a security issue with a third-party software component that is used in a NetApp product, NetApp will attempt to verify the vulnerability and will prioritize it based on the relative severity of the vulnerability as well as the business needs of the organization.
NetApp is currently evaluating the impact of the OpenSSL vulnerability. We will provide an update as additional information becomes available.
2014-04-09 05:42 PM
A decidedly vague and unhelpful PR dodge.
Please take a clue from many other vendors (e.g http://kb.vmware.com/kb/2076225): Share what you know, as you know it, in a public spot, even if it's not much.
That it's been this long with technical radio silence and trade show song-and-dance on the social media feeds is insanity.
2014-04-10 01:51 AM
I have a case open with Netapp currently for this and bugs 815987 & 816639 have been opened for investigation/handling of the vulnerability CVE-2014-0160:
http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=815987 - no public-facing notes as yet but looks like no version of ONTAP ships with OpenSSL 1.0.1x, so ONTAP is unaffected.
http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=816639 - this is a newly filed bug so may not have hit 24 hour mark yet until later today.
2014-04-10 04:28 PM
We have posted our current status for CVE-2014-0160 at the following URL:
We will continue to be making updates as new information is available.
2014-04-17 10:36 AM
So now I have to monitor some static PDF page to find when a patch is released? Meanwhile, we are going to get completely nailed by regulatory audits since Nessus has a plug-in to detect this.....please NetApp PATCH THIS.