Network and Storage Protocols

What Netapp Products are subject to OpenSSL Heartbleed Vulnerability

gregory_a_price
13,663 Views

There was a major vulnerability disclosed in OpenSSL yesterday which is being referred to as heartbleed. While the specifics are still being investigated, it places all userid/passwords at risk when using OpenSSL. I know that some Netapp products use it and am trying to find out which are vulnerable and what the plans are for addressing it.

30 REPLIES 30

connoisseur
6,160 Views

Hi!

Do you have any update on the new OpenSSL issue?

DTLS invalid fragment vulnerability (CVE:2014-0195) and SSL/TLS MITM vulnerability (CVE:2014-0224)

Will this document be updated or will you have new ones for these?

SMITHT3A1
6,161 Views

Any word on this yet?

ajosh
6,160 Views

NetApp has posted Security Advisories for the latest OpenSSL vulnerabilities at the following URLs.  Updates are being posted as new information is available.

OpenSSL TLS Handshake Vulnerability in Select NetApp Products (cve-2014-0224)

https://library.netapp.com/ecm/ecm_get_file/ECMP1636026

cve-2014-0224

OpenSSL Elliptic Curve Vulnerabilities in Multiple NetApp Products (cve-2014-3470,cve-2014-0076)

https://library.netapp.com/ecm/ecm_get_file/ECMP1636027

DTLS vulnerabilities in OpenSSL in Multiple NetApp Products (cve-2014-0221,cve-2014-0195)

https://library.netapp.com/ecm/ecm_get_file/ECMP1636028

OpenSSL SSL_MODE_RELEASE_BUFFERS Vulnerabilities in NetApp Products (cve-2014-0198,cve-2010-5298)

https://library.netapp.com/ecm/ecm_get_file/ECMP1636029

aborzenkov
6,161 Views

Is there any entry page for all security advisories? How we are supposed to find those links? They are not entirely obvious ...

BALAJI_VENKATRAMAN
6,160 Views

Hi ajosh,,

We have a vulnerable product in our setup i.e OCUM 5.1 and the fix is 5.1P1 as per the above document.

However when I download this package from the website it is a 700 MB file which seems like a entire CORE package.

Isnt it supposed to be just a security patch i.e a small piece of file.

Can I go ahead and install this on top of the existing CORE installed package?

Hope the underlying DB wont wont be affected !!

Balaji

arunj
6,160 Views

Hi Balaji,

This is the entire CORE package. Note that we had to rebuild the CORE package for OpenSSL vulnerability. Please go ahead and install 5.1P1 on top of existing CORE package.

It will upgrade to 5.1P1. For more details refer to upgrade section in page 78 https://library.netapp.com/ecm/ecm_get_file/ECMP1222478.

Regards,

Arun Joseph

BALAJI_VENKATRAMAN
6,160 Views

Thanks Arun for your reply.

However why dont we upgrade to 5.2R1 and "skip" 5.1P1.We have to rollout the upgrade on an entire infra consisting of 20 DFM servers running 5.1 now.

It would be double work of the patch application and then 5.2R1.I am assuming the Hearbleed bug must be addressed in 5.2R1 as well.

Any thoughts or associated risks you see is we move directly to 5.2R1?

Balaji

arunj
6,160 Views

Hi Balaji,

We definitely recommend you to upgrade directly to 5.2R1. This release too addresses the vulnerability in the OpenSSL library when using heartbeat extensions (a.k.a heartbleed bug).

Regards,

Arun Joseph

BALAJI_VENKATRAMAN
6,161 Views

Thanks a lot Arun.

One last question - will the upgrade to 5.2R1 cause some major changes in the DFM DB schema or will it be just a simple straighforward step like 5.1p1?

Balaji

arunj
5,050 Views

Hi Balaji,

There are no major changes to the DFM DB schema. The upgrade procedure is same as  upgrade to 5.1P1. There are quite a few enhancements available in 5.2R1 as specified in the release notes. Please note that 5.2R1 does not support 32 bit installer (which is different than 5.1P1). 5.2R1 requires that you have a 64 bit server. This is the only change that you should consider when deciding between 5.2R1 or 5.1P1.

Let me know if you need more clarifications.

5.2R1 release notes is available at https://library.netapp.com/ecm/ecm_get_file/ECMP1517131

Regards,

Arun Joseph

Public