ONTAP Discussions

Security Patch: Status of NTAP-20160303-0001


Hi All


If I am reading this correctly there is still no published fixed for the Cluster ONTAP.  The dates are getting pretty close and our companiesclus security

compliance team are expecting this patched by end of Nov 2017





Have I missed an advisory update ?  or is that document correct and there is still no update available.


Rgds Andy


Re: Security Patch: Status of NTAP-20160303-0001

That security advisory will be updated today.

View solution in original post

Re: Security Patch: Status of NTAP-20160303-0001

Hi Andy,


According to burt 992754, which covers the March 2016 OpenSSL Vulnerabilities in Clustered Data ONTAP these CVEs were first fixed in ONTAP 9.0 (these are not fixed in cDOT 8.3.2). However, as you state the KB article does not reflect this info.



Since there are other OpenSSH CVEs applicable to ONTAP, do your Security Team have any specific CVE number(s) they need fixed?


FYI burt 1008362, which covers the May 2016 OpenSSH Vulnerabilities: OpenSSH vulnerability in Clustered Data ONTAP are first fixed in ONTAP 9.1 (https://kb.netapp.com/support/s/article/may-2016-openssh-vulnerabilities-in-multiple-netapp-products?language=en_US).




Re: Security Patch: Status of NTAP-20160303-0001


The advisory ID number is below, I suspect this is a internal number only:


Advisory ID: MSS-OAR-E01-2017:0111.3

Description:  NetApp: March 2016 OpenSSL Vulnerabilities in Multiple NetApp Products


It is mapped to a NETAPP advisory and CVE below:


NetApp Advisory Number



   CVE-2016-0703, CVE-2016-0704, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799,
   CVE-2016-0702, CVE-2016-0705


If the NETAPP advisory will be updates soon, then I am more then happy and I can response / patch as needed once I know at what ONTAP level I need to be at.




Re: Security Patch: Status of NTAP-20160303-0001



The security advisory shows clustered ONTAP as fixed for those OpenSSH CVEs.

Cloud Volumes ONTAP
Review Banner
All Community Forums