https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445448#M42486 <P>Like I said, read the link.&nbsp;<BR />it details everything including the versions it is fixed in. 9.7P22 being the lowest/oldest version of ONTAP</P> Thu, 22 Jun 2023 18:43:01 GMT TMACMD 2023-06-22T18:43:01Z https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445443#M42482 <P>Hi Guys,</P><P>&nbsp;</P><P>&nbsp;</P><P>We have a FAS2650 which is on version NetApp Release 9.3P18.&nbsp; We had planned to move away from this platform but unfortunately things have been slow.&nbsp; What version of ONTAP will resolve CVE-2022-38023?</P><P>&nbsp;</P><P>We have applied the workaround on MS Domain Controller's end but noting any patch after July 11 will remove the workaround.</P><P>&nbsp;</P><P>Thanks in advance,</P><P>TT</P> Wed, 04 Jun 2025 09:47:36 GMT https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445443#M42482 trackstar 2025-06-04T09:47:36Z https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445445#M42483 <P>9.7P22 -is the lowest.&nbsp;</P> <P>&nbsp;</P> <P><A href="https://kb.netapp.com/Support_Bulletins/Customer_Bulletins/SU2" target="_blank">https://kb.netapp.com/Support_Bulletins/Customer_Bulletins/SU2</A></P> Thu, 22 Jun 2023 18:22:11 GMT https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445445#M42483 SpindleNinja 2023-06-22T18:22:11Z https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445446#M42484 <P>See the article&nbsp;<a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/67570">@SpindleNinja</a>&nbsp; just posted.&nbsp;<BR />from what I recall, the oldest versions that are patched are ONTAP 9.7(get the latest P release) and forward. On any release, get the latest P release</P><P>&nbsp;</P><P>&nbsp;that 2650 is capable of being updated to 9.11</P> Thu, 22 Jun 2023 18:33:44 GMT https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445446#M42484 TMACMD 2023-06-22T18:33:44Z https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445447#M42485 <P>I just finished a support call.&nbsp; They said 9.10.1 will fix the issue with the Microsoft CVE.&nbsp; So 9.7 will also?</P> Thu, 22 Jun 2023 18:38:34 GMT https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445447#M42485 trackstar 2023-06-22T18:38:34Z https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445448#M42486 <P>Like I said, read the link.&nbsp;<BR />it details everything including the versions it is fixed in. 9.7P22 being the lowest/oldest version of ONTAP</P> Thu, 22 Jun 2023 18:43:01 GMT https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445448#M42486 TMACMD 2023-06-22T18:43:01Z https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445449#M42487 <P>Yeah, &nbsp;sounds like they are just being proactive as 9.7 goes end of full term support in July this year. &nbsp;</P> <P>9.7 - 31-Jul-2023. &nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I would go to 9.9.1 or 9.10.1 at a minimum. &nbsp;</P> Thu, 22 Jun 2023 19:03:37 GMT https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445449#M42487 SpindleNinja 2023-06-22T19:03:37Z https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445490#M42491 <P>Finally was able to view the docs and talked to the core team.&nbsp; I am the original poster "trackstar".</P><P>&nbsp;</P><P>Core team said 9.7 fixed the issue (I also saw the docs).&nbsp; I was told as long as we are in "Limited Support" we are ok.&nbsp; Our hardware has an EOL next May.</P><P>&nbsp;</P><P>Questions, on version 9.3 , I remember downloaded the non encryption of Ontap (without NetApp Volume Encryption).&nbsp; If I were to download the encryption version this time, would I have any issues?&nbsp; I am in the U.S.</P><P>&nbsp;</P><P>Thank you.</P> Thu, 22 Jun 2023 21:57:27 GMT https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445490#M42491 SVHO 2023-06-22T21:57:27Z https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445494#M42492 <P>The encrypted or not encrypted version of ONTAP is not in reference to protocol level encryption. It's in reference to encryption of the data being written to the storage.&nbsp;</P><P>&nbsp;</P><P>Most of our customers (in the US) will use the encryption version of ONTAP as that allows them to enable the data encryption features of ONTAP if they require it.</P> Fri, 23 Jun 2023 00:37:11 GMT https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445494#M42492 RossC 2023-06-23T00:37:11Z https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445495#M42493 <P>If you are in the us, you should just down load the encryption capable version. The other is listed for countries that are not allowed to have the encryption on their systems</P> Fri, 23 Jun 2023 01:11:51 GMT https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445495#M42493 TMACMD 2023-06-23T01:11:51Z https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445503#M42494 <P>Thank you guys.</P><P>&nbsp;</P><P>We had to set the the "RequireSeal:1" as a workaround after the June patch.&nbsp; Lets say we patched ONTAP to 9.7+ next week, we don't have to do anything else on the NetApp's end?</P><P>&nbsp;</P><P><A href="https://kb.netapp.com/onprem/ontap/da/NAS/Does_CVE-2022-38023_have_any_impact_to_ONTAP_9" target="_blank" rel="noopener">https://kb.netapp.com/onprem/ontap/da/NAS/Does_CVE-2022-38023_have_any_impact_to_ONTAP_9</A></P><P>&nbsp;</P><P>For the Microsoft DCs, we can do either?</P><P>1) We change the registry value to "RequireSeal:2" after applying the ONTAP next week and not wait til MS July's patches</P><P>or</P><P>2) Do nothing to the registry and wait til MS July's patch</P> Fri, 23 Jun 2023 04:47:12 GMT https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445503#M42494 SVHO 2023-06-23T04:47:12Z https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445510#M42499 <P>If you patch both end, you should be good. &nbsp; That's how we all read the KBs. &nbsp;</P> Fri, 23 Jun 2023 11:54:16 GMT https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445510#M42499 SpindleNinja 2023-06-23T11:54:16Z https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445519#M42503 <P>So running this command below, I see all of the connections using NTLMv2 (we disabled version v1 a long time ago).&nbsp; This is expected right?&nbsp; After both ends are patched, we will see only Kerberos?</P><P>&nbsp;</P><P>vserver cifs session show -vserver xxx_svm1 -fields auth-mechanism,address,windows-user</P><P>&nbsp;</P><P>&nbsp;</P><P>vserver cifs security show -vserver xxx_svm1</P><P>&nbsp;</P><P>Vserver: xxx_svm1</P><P>Kerberos Clock Skew: 5 minutes<BR />Kerberos Ticket Age: 10 hours<BR />Kerberos Renewal Age: 7 days<BR />Kerberos KDC Timeout: 3 seconds<BR />Is Signing Required: false<BR />Is Password Complexity Required: true<BR />Use start_tls for AD LDAP connection: false<BR />Is AES Encryption Enabled: false<BR />LM Compatibility Level: ntlmv2-krb<BR />Is SMB Encryption Required: false<BR />Client Session Security: none<BR />SMB1 Enabled for DC Connections: system-default<BR />SMB2 Enabled for DC Connections: system-default</P><P>&nbsp;</P> Fri, 23 Jun 2023 18:01:44 GMT https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445519#M42503 SVHO 2023-06-23T18:01:44Z https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445590#M42520 <P>Nevermind, MS just enforced the connection to be more secure, not getting rid of it the protocol.</P> Tue, 27 Jun 2023 00:22:45 GMT https://community.netapp.com/t5/ONTAP-Discussions/CVE-2022-38023/m-p/445590#M42520 SVHO 2023-06-27T00:22:45Z