Network and Storage Protocols

cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Network and Storage Protocols

Ask a Question

What Netapp Products are subject to OpenSSL Heartbleed Vulnerability

gregory_a_price
‎2014-04-09 11:47 AM
15,534 Views

There was a major vulnerability disclosed in OpenSSL yesterday which is being referred to as heartbleed. While the specifics are still being investigated, it places all userid/passwords at risk when using OpenSSL. I know that some Netapp products use it and am trying to find out which are vulnerable and what the plans are for addressing it.

Tags (2)
30 REPLIES 30

FULLSTEAM
‎2014-04-09 12:23 PM
12,584 Views

OnCommand Core 5.2P2 is vulnerable.  Already case'd it.

ajosh
NetApp
‎2014-04-09 05:33 PM
12,584 Views

NetApp takes the security of our products very seriously and is committed to resolving vulnerabilities to meet the needs of our customers and the broader technology community.

If there is a security issue with a third-party software component that is used in a NetApp product, NetApp will attempt to verify the vulnerability and will prioritize it based on the relative severity of the vulnerability as well as the business needs of the organization.

NetApp is currently evaluating the impact of the OpenSSL vulnerability.  We will provide an update as additional information becomes available.

0 Kudos

FULLSTEAM
‎2014-04-09 05:42 PM
In response to ajosh
12,584 Views

A decidedly vague and unhelpful PR dodge.

Please take a clue from many other vendors (e.g http://kb.vmware.com/kb/2076225😞  Share what you know, as you know it, in a public spot, even if it's not much.

That it's been this long with technical radio silence and trade show song-and-dance on the social media feeds is insanity.

JONATHAPQ
‎2014-04-10 01:51 AM
12,584 Views

I have a case open with Netapp currently for this and bugs 815987 & 816639 have been opened for investigation/handling of the vulnerability CVE-2014-0160:

http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=815987 - no public-facing notes as yet but looks like no version of ONTAP ships with OpenSSL 1.0.1x, so ONTAP is unaffected.

http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=816639 - this is a newly filed bug so may not have hit 24 hour mark yet until later today.

0 Kudos

gregory_a_price
‎2014-04-10 01:31 PM
12,584 Views

It appears that the SMI-S client is also vulnerable.

0 Kudos

ajosh
NetApp
‎2014-04-10 04:28 PM
12,877 Views

We have posted our current status for CVE-2014-0160 at the following URL:

https://library.netapp.com/ecm/ecm_get_file/ECMP1516404

We will continue to be making updates as new information is available.

FULLSTEAM
‎2014-04-10 05:14 PM
In response to ajosh
12,583 Views

Will that link be THE place for ongoing updates?

0 Kudos

ajosh
NetApp
‎2014-04-11 09:55 AM
In response to FULLSTEAM
12,583 Views

Yes, this link will remain static and be the location for official communications regarding CVE-2014-0160.

0 Kudos

JLOCKIE_CEFCU
‎2014-04-17 10:36 AM
In response to ajosh
12,584 Views

So now I have to monitor some static PDF page to find when a patch is released?  Meanwhile, we are going to get completely nailed by regulatory audits since Nessus has a plug-in to detect this.....please NetApp PATCH THIS.

0 Kudos

JLOCKIE_CEFCU
‎2014-04-22 10:06 AM
In response to ajosh
11,934 Views

This document isn't even current!  There's a patch for OnCommand Unified Manager Core, but the PDF still lists it as vulnerable. 

Again, this is a very poor communication.

0 Kudos

ajosh
NetApp
‎2014-04-22 10:12 AM
In response to JLOCKIE_CEFCU
11,934 Views

The document is being updated almost daily.  Please reference the section entitled "Software Versions and Fixes" for patch information.  The list of Vulnerable products does not change as patches are released.

0 Kudos

JLOCKIE_CEFCU
‎2014-04-22 10:16 AM
In response to ajosh
11,640 Views

I suggest you add an executive summary then, or at the very least put a note to the right of the vulnerable products stating "patched - see below".....NetApp has way too many products to expect customers who are only using a handful of them to skim a huge list (on a PDF none the less).

0 Kudos

JONATHAPQ
‎2014-04-23 01:31 AM
In response to JLOCKIE_CEFCU
11,640 Views

ctrl+f ?

0 Kudos

bazmercer
‎2014-04-23 05:33 AM
In response to ajosh
11,935 Views

Hi,

The changelog for oncommand core 5.2r1 indicates it's added support for "OpenSSL 1.0.1e" - which is still vulnerable.

0 Kudos

bazmercer
‎2014-04-23 07:16 AM
In response to bazmercer
11,934 Views

well, the updated version was still running 1.0.1e (although it may well have been compiled differently). As I can't tell, I've replaced it with 1.0.1g and it seems ok. This is probably unsupported so do so at your own risk etc etc.

0 Kudos

FULLSTEAM
‎2014-04-23 07:55 AM
In response to bazmercer
11,261 Views

RHAT's patch for openssl was a backport into 1.0.1e; could be what they did here.  Eh, whatever, 5.2R1 scanned cleanly as-deployed without jimmying it.

Though, what you did (symlinking/copying a known-good lib over OC's static library) was our last-ditch plan if the patch was going to take too long.

0 Kudos

JLOCKIE_CEFCU
‎2014-04-23 08:06 AM
In response to FULLSTEAM
11,261 Views

I can also confirm it scans clean after patching.  No need to mess with it.  It was lighting up like a Christmas tree on previous scans. 

Would be nice if they used Apache 2.4.6 instead of 2.4.4 due to CVE-2013-2249.

0 Kudos

bazmercer
‎2014-04-23 08:12 AM
In response to JLOCKIE_CEFCU
11,261 Views

Ah ok fair enough. I didn't have any scan tools so was just playing it safe. Thanks for the info.

0 Kudos

JLOCKIE_CEFCU
‎2014-04-23 08:20 AM
In response to FULLSTEAM
11,576 Views

That's cool. 

We use Nessus.

0 Kudos
Announcements
All Community Forums
Public