ONTAP Discussions

Security Patch: Status of NTAP-20160303-0001

parkea2
4,370 Views

 

Hi All

 

If I am reading this correctly there is still no published fixed for the Cluster ONTAP.  The dates are getting pretty close and our companiesclus security

compliance team are expecting this patched by end of Nov 2017

 

 

https://kb.netapp.com/support/s/article/march-2016-openssl-vulnerabilities-in-multiple-netapp-products?language=en_US

 

Have I missed an advisory update ?  or is that document correct and there is still no update available.

 

Rgds Andy

1 ACCEPTED SOLUTION

kryan
4,340 Views

That security advisory will be updated today.

View solution in original post

4 REPLIES 4

kryan
4,341 Views

That security advisory will be updated today.

sgrant
4,334 Views

Hi Andy,

 

According to burt 992754, which covers the March 2016 OpenSSL Vulnerabilities in Clustered Data ONTAP these CVEs were first fixed in ONTAP 9.0 (these are not fixed in cDOT 8.3.2). However, as you state the KB article does not reflect this info.

 

 

Since there are other OpenSSH CVEs applicable to ONTAP, do your Security Team have any specific CVE number(s) they need fixed?

 

FYI burt 1008362, which covers the May 2016 OpenSSH Vulnerabilities: OpenSSH vulnerability in Clustered Data ONTAP are first fixed in ONTAP 9.1 (https://kb.netapp.com/support/s/article/may-2016-openssh-vulnerabilities-in-multiple-netapp-products?language=en_US).

 

Thanks,

Grant.

parkea2
4,319 Views

Hi

The advisory ID number is below, I suspect this is a internal number only:

 

Advisory ID: MSS-OAR-E01-2017:0111.3

Description:  NetApp: March 2016 OpenSSL Vulnerabilities in Multiple NetApp Products

 

It is mapped to a NETAPP advisory and CVE below:

 

NetApp Advisory Number

   NTAP-20160303-0001

  CVE

   CVE-2016-0703, CVE-2016-0704, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799,
   CVE-2016-0702, CVE-2016-0705

 

If the NETAPP advisory will be updates soon, then I am more then happy and I can response / patch as needed once I know at what ONTAP level I need to be at.

 

 

 

kryan
4,317 Views

https://security.netapp.com/advisory/ntap-20160519-0001/

 

The security advisory shows clustered ONTAP as fixed for those OpenSSH CVEs.

Public