AIQUM typically fixes security issues only in the newest GA release which is soon to be 9.16:  https://mysupport.netapp.com/site/info/version-support#aiq (1) Security patching will only be performed on the current General Availability release.   ... View more

I agree with Alex - there is no evidence that SANtricity 8.x or 11.x shipped log4j.   Perhaps it was the VxWorks issue that led to the decommissioning. ... View more

Oracle assigned CVE-2024-20965 to two products: https://www.oracle.com/security-alerts/cpujan2024verbose.html#MSQL CVE-2024-20965 Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.5.32 and prior, 7.6.28 and prior, 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Cluster. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] CVE-2024-20965 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior and 8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]   So there are two security advisories that reference this CVE ID.   The MySQL Cluster advisory as mentioned by @Abeltran : https://security.netapp.com/advisory/ntap-20240201-0006 And the MySQL Server advisory: https://security.netapp.com/advisory/NTAP-20240201-0003   Review and monitor them as needed - fixes are added when they are posted for use.   ... View more

There is no end user control for hiding the SSH version string.   If it helps any, upgrading to ONTAP 9.11.1 or higher will get OpenSSH upgraded from 8.1p1 to 8.7p1.   https://kb.netapp.com/onprem/ontap/os/Vulnerability_scanner_reports_OpenSSH_version_Not_Installed_Multiple_Vulnerabilities_or_to_Upgrade_to_OpenSSH_version ... View more

I believe that this customer needs to contact Lenovo for support on that system. ... View more

OnCommand Unified Manager Core Package (5.x) supports ONTAP 7-mode.   OCUM/AIQUM starting with version 6.0 supports clustered Data ONTAP/ONTAP 9 only. ... View more

For reference here is the Software Version Support page: https://mysupport.netapp.com/site/info/version-support   It shows that OnCommand Unified Manager 7.2 reached End of Support status on 31-Jul-2019. ... View more

Yes, the shared links correspond to the second option in the advisory. Either of those options can be used in the current Full Support versions of ONTAP (9.5+). The product documentation should be consulted for the proper command syntax since it may have changed over time/versions.   When that advisory was originally posted, cDOT 8.2 & 8.3 were still under Full Support status. The only mitigation for those releases was to enable FIPS 140-2 compliance mode. ... View more

No - ONTAP 9.x includes the "security" command to configure the default SSL and SSH parameters. The advisory guidance was specific to clustered Data ONTAP 8.2.x.   https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-980%2Fsecurity__ssh__modify.html https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-980%2Fsecurity__ssl__modify.html   ... View more

Please post the support case # when it is available. ... View more

If you PM me the system serial or name I'll share it with the team as well.  ... View more

ONTAP 9.3-9.7 include OpenSSH 7.2p2. Those ONTAP versions would also include any configuration changes or back ported code required to address vulnerabilities reflected in the security advisories. ONTAP 9.8 upgraded the included OpenSSH to version 8.1p1. ... View more

Nessus has correctly identified the BIND version in ONTAP and is flagging known vulnerabilities in it.   NetApp security advisories report the exploitability status of our products. ... View more

ONTAP versions 9.3-9.7 have a base version of  OpenSSH 7.2p2.   If an advisory shows a versions of ONTAP as fixed then either a patch was back ported or a configuration change was made to prevent exploit. ... View more

Please disregard the reference to an advisory - this is not a vulnerability in ONTAP.   Configure the Nessus scanner to use SSH credentials to allow it to run a command to discover the target is ONTAP and not FreeBSD. As far as my testing has shown, if Nessus is unable to login via SSH it interprets the target OS from "ssh -vvv" output. ... View more

Hello,   It is not uncommon for third party to be patched rather than upgraded in ONTAP. Therefore scan results identified using detected third party software versions can often be incorrect. I am unaware of any ONTAP documentation that covers updating third party code versus patching it. As each security advisory states, they "should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.". Advisory ntap-20171130-0002 covers CVE-2016-10012, CVE-2016-10011, CVE-2016-10010, and CVE-2016-10009 and it reflects that ONTAP 8.2.5 is the first fixed-in release for these CVEs. ... View more