topic Re: vulnerability in ONTAP Discussions

vulnerability

prajyot123 — Wed, 04 Jun 2025 12:50:18 GMT

Hi Team,

Looking for solution for vurnabilities please check attached file for details.

NetApp Release 8.2.3P3 7-Mode: Tue Apr 28 14:48:22 PDT 2015

The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by the following vulnerabilities :

- A security bypass vulnerability exists due to improper restriction of access to the console and web management interfaces. An unauthenticated, remote attacker can exploit this, via direct requests, to bypass authentication and gain administrative access.

(CVE-2007-1036)

- A remote code execution vulnerability exists due to the JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets not properly restricting access to profiles. An unauthenticated, remote attacker can exploit this to bypass authentication and invoke MBean methods, resulting in the execution of arbitrary code.

(CVE-2012-0874)

- A remote code execution vulnerability exists in the EJBInvokerServlet and JMXInvokerServlet servlets due to the ability to post a marshalled object. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to install arbitrary applications. Note that this issue is known to affect McAfee Web Reporter versions prior to or equal to version 5.2.1 as well as Symantec Workspace Streaming version 7.5.0.493 and possibly earlier.

(CVE-2013-4810)

Thanks & Regards

Prajyot Katakdound

prajyot.katakdound.wg@hitachi-systems.com

Re: vulnerability

JGPSHNTAP — Tue, 12 Feb 2019 13:36:32 GMT

Time to upgrade to 8.2.5p2

Re: vulnerability

prajyot123 — Wed, 13 Feb 2019 07:47:54 GMT

Thank you very much team , but could you also help me with any technote which could justify the same

Thanks & Regards

Prajyot Katakdound

prajyot.katakdound.wg@hitachi-systems.com

Re: vulnerability

paul_stejskal — Wed, 13 Feb 2019 15:22:46 GMT

Please check https://security.netapp.com/advisory/. If it's not listed here, I'd open a Support case.

Re: vulnerability

kryan — Wed, 13 Feb 2019 16:45:01 GMT

A support case is the recommended action to resolve items from a scanner report.

Anyone prioritizing security for 7-Mode ONTAP should be targeting the latest P release of 8.2.5.

These CVEs cover JBoss and HP ProCurve Manager, none of which is shipped in ONTAP.
https://nvd.nist.gov/vuln/detail/CVE-2007-1036
https://nvd.nist.gov/vuln/detail/CVE-2012-0874
https://nvd.nist.gov/vuln/detail/CVE-2013-4810