There was a major vulnerability disclosed in OpenSSL yesterday which is being referred to as heartbleed. While the specifics are still being investigated, it places all userid/passwords at risk when using OpenSSL. I know that some Netapp products use it and am trying to find out which are vulnerable and what the plans are for addressing it.
NetApp takes the security of our products very seriously and is committed to resolving vulnerabilities to meet the needs of our customers and the broader technology community.
If there is a security issue with a third-party software component that is used in a NetApp product, NetApp will attempt to verify the vulnerability and will prioritize it based on the relative severity of the vulnerability as well as the business needs of the organization.
NetApp is currently evaluating the impact of the OpenSSL vulnerability. We will provide an update as additional information becomes available.
So now I have to monitor some static PDF page to find when a patch is released? Meanwhile, we are going to get completely nailed by regulatory audits since Nessus has a plug-in to detect this.....please NetApp PATCH THIS.
The document is being updated almost daily. Please reference the section entitled "Software Versions and Fixes" for patch information. The list of Vulnerable products does not change as patches are released.
I suggest you add an executive summary then, or at the very least put a note to the right of the vulnerable products stating "patched - see below".....NetApp has way too many products to expect customers who are only using a handful of them to skim a huge list (on a PDF none the less).
well, the updated version was still running 1.0.1e (although it may well have been compiled differently). As I can't tell, I've replaced it with 1.0.1g and it seems ok. This is probably unsupported so do so at your own risk etc etc.