Active IQ Unified Manager Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active IQ Unified Manager Discussions

Ask a Question

DFM and apache vulnerabilities

CHINGHIZ99
‎2011-11-22 04:51 PM
4,244 Views

greetings;

I am going through some security audits and I am curious how netapp OnCommand DFM handles apache vulnerabilities.

I have OnCommand Core Package 5.0.0.7636 (5.0); which seems to use Apache/2.2.10 (Win32) mod_ssl/2.2.10 OpenSSL/0.9.8e

I can see that DFM does not pack in very many libraries or apache modules, so that seems to me that it really limits the potential for vulnerabilities to surface in OnCommand's apache.

But I have to answer security team on questions like:

CVE-2011-3192 published 2011-08-29

Affected Apache = < 2.2.19

On the surface, security team says Vulnerable because On Command DFM is at 2.2.10 (i.e. "vulnerable")

I need to verify my thought process.

1. I assume Netapp branched off its own apache at 2.2.10 and is doing its own thing? so the only safe way for me to patch apache for DFM is to "patch OnCommand Core Package"?

2. As long as I have the latest OnCommand Core Package revision installed then I have the newest and least vulnerable httpd offered by netapp?

3. Is 5.0.0.7636 the latest version?

4. Also, there are vulnerabilities that I need to address like vulns in mod_dav. Is is sound to say that because the apache with OnCommand does not even have mod_dav then I do not really need to care about the patch?

thanks very much. I appreciate any feedback.

0 Kudos
View By:
1 ACCEPTED SOLUTION

kryan
NetApp
‎2011-11-23 08:45 AM
4,244 Views

Doug,

Please open a support case to attach to bug 530008.  A patch request is already in place for OnCommand 5.0 so another is not needed at this time. 

Apache 2.2.10 is the version in all shipping versions of DFM and OnCommand. You should not attempt to upgrade Apache manually - this is not supported.

This patch will upgrade Apache from 2.2.10 to 2.2.21 within OnCommand 5.0.  There will also be a DFM 4.x patch updating Apache to 2.2.21 under bug 532848.

Kevin

View solution in original post

0 Kudos
1 REPLY 1

kryan
NetApp
‎2011-11-23 08:45 AM
4,245 Views

Doug,

Please open a support case to attach to bug 530008.  A patch request is already in place for OnCommand 5.0 so another is not needed at this time. 

Apache 2.2.10 is the version in all shipping versions of DFM and OnCommand. You should not attempt to upgrade Apache manually - this is not supported.

This patch will upgrade Apache from 2.2.10 to 2.2.21 within OnCommand 5.0.  There will also be a DFM 4.x patch updating Apache to 2.2.21 under bug 532848.

Kevin

0 Kudos
Announcements
All Community Forums
Public