ONTAP Discussions

vulnerability

prajyot123
5,741 Views

Hi Team,

 

Looking for solution for vurnabilities please check attached file for details.

 

NetApp Release 8.2.3P3 7-Mode: Tue Apr 28 14:48:22 PDT 2015

 

The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by the following vulnerabilities :

 

  - A security bypass vulnerability exists due to improper     restriction of access to the console and web management     interfaces. An unauthenticated, remote attacker can     exploit this, via direct requests, to bypass     authentication and gain administrative access.

    (CVE-2007-1036)

 

  - A remote code execution vulnerability exists due to the     JMXInvokerHAServlet and EJBInvokerHAServlet invoker     servlets not properly restricting access to profiles. An     unauthenticated, remote attacker can exploit this to     bypass authentication and invoke MBean methods,     resulting in the execution of arbitrary code.

    (CVE-2012-0874)

 

  - A remote code execution vulnerability exists in the     EJBInvokerServlet and JMXInvokerServlet servlets due to     the ability to post a marshalled object. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to install arbitrary     applications. Note that this issue is known to affect     McAfee Web Reporter versions prior to or equal to     version 5.2.1 as well as Symantec Workspace Streaming     version 7.5.0.493 and possibly earlier.

    (CVE-2013-4810)

 

 

 

Thanks & Regards

Prajyot Katakdound

prajyot.katakdound.wg@hitachi-systems.com

 

 

1 ACCEPTED SOLUTION

kryan
5,629 Views
A support case is the recommended action to resolve items from a scanner report.

Anyone prioritizing security for 7-Mode ONTAP should be targeting the latest P release of 8.2.5.

These CVEs cover JBoss and HP ProCurve Manager, none of which is shipped in ONTAP.
https://nvd.nist.gov/vuln/detail/CVE-2007-1036
https://nvd.nist.gov/vuln/detail/CVE-2012-0874
https://nvd.nist.gov/vuln/detail/CVE-2013-4810

View solution in original post

4 REPLIES 4

JGPSHNTAP
5,732 Views

Time to upgrade to 8.2.5p2

prajyot123
5,669 Views

Thank you very much  team , but could you also  help me with any technote which could justify the same 

 

 

Thanks & Regards

Prajyot Katakdound

prajyot.katakdound.wg@hitachi-systems.com

 

paul_stejskal
5,637 Views

Please check https://security.netapp.com/advisory/. If it's not listed here, I'd open a Support case.

kryan
5,630 Views
A support case is the recommended action to resolve items from a scanner report.

Anyone prioritizing security for 7-Mode ONTAP should be targeting the latest P release of 8.2.5.

These CVEs cover JBoss and HP ProCurve Manager, none of which is shipped in ONTAP.
https://nvd.nist.gov/vuln/detail/CVE-2007-1036
https://nvd.nist.gov/vuln/detail/CVE-2012-0874
https://nvd.nist.gov/vuln/detail/CVE-2013-4810
Public