https://community.netapp.com/t5/ONTAP-Hardware/Vulnerabilities/m-p/145865#M9251 <P>I know it's not obvious when looking at the specific page, but this text to the right of "<STRONG>Overview</STRONG>" are additional tabs of information.</P> <P><FONT size="4"><STRONG>Affected Products&nbsp;&nbsp;&nbsp;&nbsp; Remediation&nbsp;&nbsp;&nbsp; Revision History</STRONG></FONT></P> <P>&nbsp;</P> <P>If you click on <STRONG>Remediation</STRONG>, you will see ONTAP 8.2.5 7-Mode has a fix.</P> Fri, 11 Jan 2019 17:51:29 GMT andris 2019-01-11T17:51:29Z https://community.netapp.com/t5/ONTAP-Hardware/Vulnerabilities/m-p/145847#M9249 <P>OpenSSH 7.4 Not Installed Multiple Vulnerabilities</P> <P>Device is a&nbsp;FAS2240-2</P> <P>Version 8.2.5 7</P> <P>Is this system vulnerable. Many Linux systems run an older version of OpenSSH but they are patch to version 7.4.</P> <P>This is information is easy to find for many operating systems and appliacnes but NetApp seems to lack in&nbsp;simple listings&nbsp;of&nbsp;vulnerability documentation and mitigations.</P> <P>Does NetApp do this.</P> <P>I found this link "<A href="https://security.netapp.com/advisory/ntap-20171130-0002/" target="_blank">https://security.netapp.com/advisory/ntap-20171130-0002/</A>" but it states nothing for mitigation. Like what version is fixed.</P> <P>Being that NetApp should be PCI compliant which means it must be patched for all Critical and High vulnerabilites I would hope it is or can be patched.</P> <P>Teh CVE's in question are&nbsp;&nbsp;CVE-2016-10012, CVE-2016-10011, CVE-2016-10010, CVE-2016-10009</P> Wed, 04 Jun 2025 12:58:07 GMT https://community.netapp.com/t5/ONTAP-Hardware/Vulnerabilities/m-p/145847#M9249 kdfosterjr 2025-06-04T12:58:07Z https://community.netapp.com/t5/ONTAP-Hardware/Vulnerabilities/m-p/145865#M9251 <P>I know it's not obvious when looking at the specific page, but this text to the right of "<STRONG>Overview</STRONG>" are additional tabs of information.</P> <P><FONT size="4"><STRONG>Affected Products&nbsp;&nbsp;&nbsp;&nbsp; Remediation&nbsp;&nbsp;&nbsp; Revision History</STRONG></FONT></P> <P>&nbsp;</P> <P>If you click on <STRONG>Remediation</STRONG>, you will see ONTAP 8.2.5 7-Mode has a fix.</P> Fri, 11 Jan 2019 17:51:29 GMT https://community.netapp.com/t5/ONTAP-Hardware/Vulnerabilities/m-p/145865#M9251 andris 2019-01-11T17:51:29Z https://community.netapp.com/t5/ONTAP-Hardware/Vulnerabilities/m-p/149436#M9526 <P>Andris, we have been looking a for a while regarding this same CVE. The notes all state that this has been fixed in newer releases on OnTap, but additional scans to the Netapp devices still show they are running OpenSSH 7.2. Was this fixed via a backport? If not, how was it fixed. If it is fixed with a backport, is there any official documentation stating this?</P> Mon, 08 Jul 2019 15:52:18 GMT https://community.netapp.com/t5/ONTAP-Hardware/Vulnerabilities/m-p/149436#M9526 Livewire18 2019-07-08T15:52:18Z https://community.netapp.com/t5/ONTAP-Hardware/Vulnerabilities/m-p/149449#M9527 <P>Hello,</P> <P>&nbsp;</P> <P>It is not uncommon for third party to be patched rather than upgraded in ONTAP. Therefore scan results identified using detected third party software versions can often be incorrect. I am unaware of any ONTAP documentation that covers updating third party code versus patching it. As each security advisory states, they "should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.". Advisory ntap-20171130-0002 covers CVE-2016-10012, CVE-2016-10011, CVE-2016-10010, and CVE-2016-10009 and it reflects that ONTAP 8.2.5 is the first fixed-in release for these CVEs.</P> Mon, 08 Jul 2019 20:58:47 GMT https://community.netapp.com/t5/ONTAP-Hardware/Vulnerabilities/m-p/149449#M9527 kryan 2019-07-08T20:58:47Z