ONTAP Discussions

CVE-2022-38023

trackstar
7,722 Views

Hi Guys,

 

 

We have a FAS2650 which is on version NetApp Release 9.3P18.  We had planned to move away from this platform but unfortunately things have been slow.  What version of ONTAP will resolve CVE-2022-38023?

 

We have applied the workaround on MS Domain Controller's end but noting any patch after July 11 will remove the workaround.

 

Thanks in advance,

TT

12 REPLIES 12

SpindleNinja
7,703 Views

TMACMD
7,696 Views

See the article @SpindleNinja  just posted. 
from what I recall, the oldest versions that are patched are ONTAP 9.7(get the latest P release) and forward. On any release, get the latest P release

 

 that 2650 is capable of being updated to 9.11

trackstar
7,695 Views

I just finished a support call.  They said 9.10.1 will fix the issue with the Microsoft CVE.  So 9.7 will also?

TMACMD
7,694 Views

Like I said, read the link. 
it details everything including the versions it is fixed in. 9.7P22 being the lowest/oldest version of ONTAP

SpindleNinja
7,686 Views

Yeah,  sounds like they are just being proactive as 9.7 goes end of full term support in July this year.  

9.7 - 31-Jul-2023.   

 

I would go to 9.9.1 or 9.10.1 at a minimum.  

SVHO
7,667 Views

Finally was able to view the docs and talked to the core team.  I am the original poster "trackstar".

 

Core team said 9.7 fixed the issue (I also saw the docs).  I was told as long as we are in "Limited Support" we are ok.  Our hardware has an EOL next May.

 

Questions, on version 9.3 , I remember downloaded the non encryption of Ontap (without NetApp Volume Encryption).  If I were to download the encryption version this time, would I have any issues?  I am in the U.S.

 

Thank you.

RossC
7,659 Views

The encrypted or not encrypted version of ONTAP is not in reference to protocol level encryption. It's in reference to encryption of the data being written to the storage. 

 

Most of our customers (in the US) will use the encryption version of ONTAP as that allows them to enable the data encryption features of ONTAP if they require it.

TMACMD
7,652 Views

If you are in the us, you should just down load the encryption capable version. The other is listed for countries that are not allowed to have the encryption on their systems

SVHO
7,641 Views

Thank you guys.

 

We had to set the the "RequireSeal:1" as a workaround after the June patch.  Lets say we patched ONTAP to 9.7+ next week, we don't have to do anything else on the NetApp's end?

 

https://kb.netapp.com/onprem/ontap/da/NAS/Does_CVE-2022-38023_have_any_impact_to_ONTAP_9

 

For the Microsoft DCs, we can do either?

1) We change the registry value to "RequireSeal:2" after applying the ONTAP next week and not wait til MS July's patches

or

2) Do nothing to the registry and wait til MS July's patch

SpindleNinja
7,634 Views

If you patch both end, you should be good.   That's how we all read the KBs.  

SVHO
7,575 Views

So running this command below, I see all of the connections using NTLMv2 (we disabled version v1 a long time ago).  This is expected right?  After both ends are patched, we will see only Kerberos?

 

vserver cifs session show -vserver xxx_svm1 -fields auth-mechanism,address,windows-user

 

 

vserver cifs security show -vserver xxx_svm1

 

Vserver: xxx_svm1

Kerberos Clock Skew: 5 minutes
Kerberos Ticket Age: 10 hours
Kerberos Renewal Age: 7 days
Kerberos KDC Timeout: 3 seconds
Is Signing Required: false
Is Password Complexity Required: true
Use start_tls for AD LDAP connection: false
Is AES Encryption Enabled: false
LM Compatibility Level: ntlmv2-krb
Is SMB Encryption Required: false
Client Session Security: none
SMB1 Enabled for DC Connections: system-default
SMB2 Enabled for DC Connections: system-default

 

SVHO
7,416 Views

Nevermind, MS just enforced the connection to be more secure, not getting rid of it the protocol.

Public