https://community.netapp.com/t5/SolidFire-and-HCI/HCI-vulnerability/m-p/166461#M146 <P>Oftentimes such scans are just "security spam" and report all sorts of things. Many a time it's completely irrelevant to our use case because we don't run eCommerce portals but API services for admins and vCenter/K8s.</P><P>&nbsp;</P><P>For example, let's take a look at the first two CVEs:</P><P>&nbsp;</P><P>1)&nbsp;CVE-2019-11068 -&nbsp;libxslt - I don't see how any of that applies to NetApp HCI or SF environments. "xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded". Users are administrators. If someone could show me how one admin with limited permissions can become another admin, I'd be interested. Otherwise, I don't see how this matters.</P><P>&nbsp;</P><P>2) CVE-2019-14287 - sudo vulnerability. First, there are no users on mNode (or SolidFire nodes) except admins, so there's no harm in a sudoer becoming root. Second, the vulnerability - as per example exploit in the&nbsp; CVE - doesn't do anything (see below). Third, you can become root by simply switching to root - the only user there is (admin) is <EM>supposed</EM> to be able to become root.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="elementx_1-1619850463566.png" style="width: 400px;"><img src="https://community.netapp.com/t5/image/serverpage/image-id/11353i833086C19660597A/image-size/medium?v=v2&amp;px=400" role="button" title="elementx_1-1619850463566.png" alt="elementx_1-1619850463566.png" /></span></P><P>&nbsp;</P><P>Yes, you can limit IP access and NetApp HCI at least recommends to put mNode on a Management VLAN when deploying, so that only admins can access mNode in the first place. If your Mgmt node was on own LAN, exposed only to selected admins and vCenter, for example, it wouldn't get scanned in the first place.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="elementx_2-1619851242186.png" style="width: 400px;"><img src="https://community.netapp.com/t5/image/serverpage/image-id/11354i580A742C9431EC28/image-size/medium?v=v2&amp;px=400" role="button" title="elementx_2-1619851242186.png" alt="elementx_2-1619851242186.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>But many users don't do that because it's "inconvenient", so vCenter, SolidFire MIP(s) and mNode MIP are all made accessible to VM Network.</P><P>&nbsp;</P><P>If you haven't done that, you can move mNode to another network, although that may not be possible without reinstalling it (or reconfiguring, but there are no KBs for that as far as I know), or use other approaches such as iptables on mNode.</P><P>Because of Docker, there's a lot of rules already configured, so you'd have to be careful to just add additional rules that drop access to HCC/mNode management IP/port to all, and allow it to IPs that need access (which could be a handful, depending who and what needs access to that IP). These rules may need to be redeployed after mNode VM is redeployed or upgraded.</P><P>Another way is to install a secure proxy and allow access to mNode only to that proxy IP, and deal with access control on the proxy.</P><P>&nbsp;</P><P><FONT face="courier new,courier">mnode ~ # iptables -L</FONT><BR /><FONT face="courier new,courier">Chain INPUT (policy DROP)</FONT><BR /><FONT face="courier new,courier">target prot opt source destination </FONT><BR /><FONT face="courier new,courier">ufw-before-logging-input all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ufw-before-input all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ufw-after-input all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ufw-after-logging-input all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ufw-reject-input all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ufw-track-input all -- anywhere anywhere</FONT></P><P><FONT face="courier new,courier">Chain FORWARD (policy DROP)</FONT><BR /><FONT face="courier new,courier">target prot opt source destination </FONT><BR /><FONT face="courier new,courier">DOCKER-USER all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">DOCKER-INGRESS all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED</FONT><BR /><FONT face="courier new,courier">DOCKER all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ACCEPT all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ACCEPT all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED</FONT><BR /><FONT face="courier new,courier">DOCKER all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ACCEPT all -- anywhere anywhere</FONT></P><P><FONT face="courier new,courier">[...]</FONT></P> Sat, 01 May 2021 06:49:49 GMT elementx 2021-05-01T06:49:49Z https://community.netapp.com/t5/SolidFire-and-HCI/HCI-vulnerability/m-p/166380#M144 <P>Hello,</P><P>&nbsp;</P><P>After use Nessus scan HCI 1.8P1 and discover below&nbsp;vulnerability, but the "Remediation" did not mention fix the issue. Could HCI 1.9 fix below&nbsp;vulnerability? If did not patch fix, could management node setup firewall ACL allow dedicate hosts access?</P><P>&nbsp;</P><P><A href="https://security.netapp.com/advisory/ntap-20191017-0001/" target="_blank">https://security.netapp.com/advisory/ntap-20191017-0001/</A><BR />CVE-2019-11068</P><P>&nbsp;</P><P><A href="https://security.netapp.com/advisory/" target="_blank">https://security.netapp.com/advisory/</A><BR />CVE-2019-14287</P><P>CVE-2020-10029</P><P>CVE-2020-26116</P><P>CVE-2021-3156</P><P>CVE-2019-5094</P><P>CVE-2020-13817</P><P>CVE-2020-15025</P><P>CVE-2020-1971</P><P>CVE-2020-1752</P><P>CVE-2021-3156</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Best regards,</P><P>&nbsp;</P><P>Chung</P> Wed, 04 Jun 2025 10:26:42 GMT https://community.netapp.com/t5/SolidFire-and-HCI/HCI-vulnerability/m-p/166380#M144 chinchillaking 2025-06-04T10:26:42Z https://community.netapp.com/t5/SolidFire-and-HCI/HCI-vulnerability/m-p/166398#M145 <P>Hello,</P><P>&nbsp;</P><P>Mitigations (fixes or workarounds) are expected for all affected Full Support products. Advisories are updated with first fixed releases when they become available for use.</P><P>&nbsp;</P><P>I am unsure if it is possible to configure the firewall on the management node - I'd recommend a support case to confirm.</P><P>&nbsp;</P> Wed, 28 Apr 2021 18:51:56 GMT https://community.netapp.com/t5/SolidFire-and-HCI/HCI-vulnerability/m-p/166398#M145 kryan 2021-04-28T18:51:56Z https://community.netapp.com/t5/SolidFire-and-HCI/HCI-vulnerability/m-p/166461#M146 <P>Oftentimes such scans are just "security spam" and report all sorts of things. Many a time it's completely irrelevant to our use case because we don't run eCommerce portals but API services for admins and vCenter/K8s.</P><P>&nbsp;</P><P>For example, let's take a look at the first two CVEs:</P><P>&nbsp;</P><P>1)&nbsp;CVE-2019-11068 -&nbsp;libxslt - I don't see how any of that applies to NetApp HCI or SF environments. "xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded". Users are administrators. If someone could show me how one admin with limited permissions can become another admin, I'd be interested. Otherwise, I don't see how this matters.</P><P>&nbsp;</P><P>2) CVE-2019-14287 - sudo vulnerability. First, there are no users on mNode (or SolidFire nodes) except admins, so there's no harm in a sudoer becoming root. Second, the vulnerability - as per example exploit in the&nbsp; CVE - doesn't do anything (see below). Third, you can become root by simply switching to root - the only user there is (admin) is <EM>supposed</EM> to be able to become root.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="elementx_1-1619850463566.png" style="width: 400px;"><img src="https://community.netapp.com/t5/image/serverpage/image-id/11353i833086C19660597A/image-size/medium?v=v2&amp;px=400" role="button" title="elementx_1-1619850463566.png" alt="elementx_1-1619850463566.png" /></span></P><P>&nbsp;</P><P>Yes, you can limit IP access and NetApp HCI at least recommends to put mNode on a Management VLAN when deploying, so that only admins can access mNode in the first place. If your Mgmt node was on own LAN, exposed only to selected admins and vCenter, for example, it wouldn't get scanned in the first place.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="elementx_2-1619851242186.png" style="width: 400px;"><img src="https://community.netapp.com/t5/image/serverpage/image-id/11354i580A742C9431EC28/image-size/medium?v=v2&amp;px=400" role="button" title="elementx_2-1619851242186.png" alt="elementx_2-1619851242186.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>But many users don't do that because it's "inconvenient", so vCenter, SolidFire MIP(s) and mNode MIP are all made accessible to VM Network.</P><P>&nbsp;</P><P>If you haven't done that, you can move mNode to another network, although that may not be possible without reinstalling it (or reconfiguring, but there are no KBs for that as far as I know), or use other approaches such as iptables on mNode.</P><P>Because of Docker, there's a lot of rules already configured, so you'd have to be careful to just add additional rules that drop access to HCC/mNode management IP/port to all, and allow it to IPs that need access (which could be a handful, depending who and what needs access to that IP). These rules may need to be redeployed after mNode VM is redeployed or upgraded.</P><P>Another way is to install a secure proxy and allow access to mNode only to that proxy IP, and deal with access control on the proxy.</P><P>&nbsp;</P><P><FONT face="courier new,courier">mnode ~ # iptables -L</FONT><BR /><FONT face="courier new,courier">Chain INPUT (policy DROP)</FONT><BR /><FONT face="courier new,courier">target prot opt source destination </FONT><BR /><FONT face="courier new,courier">ufw-before-logging-input all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ufw-before-input all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ufw-after-input all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ufw-after-logging-input all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ufw-reject-input all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ufw-track-input all -- anywhere anywhere</FONT></P><P><FONT face="courier new,courier">Chain FORWARD (policy DROP)</FONT><BR /><FONT face="courier new,courier">target prot opt source destination </FONT><BR /><FONT face="courier new,courier">DOCKER-USER all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">DOCKER-INGRESS all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED</FONT><BR /><FONT face="courier new,courier">DOCKER all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ACCEPT all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ACCEPT all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED</FONT><BR /><FONT face="courier new,courier">DOCKER all -- anywhere anywhere </FONT><BR /><FONT face="courier new,courier">ACCEPT all -- anywhere anywhere</FONT></P><P><FONT face="courier new,courier">[...]</FONT></P> Sat, 01 May 2021 06:49:49 GMT https://community.netapp.com/t5/SolidFire-and-HCI/HCI-vulnerability/m-p/166461#M146 elementx 2021-05-01T06:49:49Z