ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

vulnerability

prajyot123
‎2019-02-12 05:22 AM
5,648 Views

Hi Team,

 

Looking for solution for vurnabilities please check attached file for details.

 

NetApp Release 8.2.3P3 7-Mode: Tue Apr 28 14:48:22 PDT 2015

 

The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by the following vulnerabilities :

 

  - A security bypass vulnerability exists due to improper     restriction of access to the console and web management     interfaces. An unauthenticated, remote attacker can     exploit this, via direct requests, to bypass     authentication and gain administrative access.

    (CVE-2007-1036)

 

  - A remote code execution vulnerability exists due to the     JMXInvokerHAServlet and EJBInvokerHAServlet invoker     servlets not properly restricting access to profiles. An     unauthenticated, remote attacker can exploit this to     bypass authentication and invoke MBean methods,     resulting in the execution of arbitrary code.

    (CVE-2012-0874)

 

  - A remote code execution vulnerability exists in the     EJBInvokerServlet and JMXInvokerServlet servlets due to     the ability to post a marshalled object. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to install arbitrary     applications. Note that this issue is known to affect     McAfee Web Reporter versions prior to or equal to     version 5.2.1 as well as Symantec Workspace Streaming     version 7.5.0.493 and possibly earlier.

    (CVE-2013-4810)

 

 

 

Thanks & Regards

Prajyot Katakdound

prajyot.katakdound.wg@hitachi-systems.com

 

 

Preview file
13 KB
0 Kudos
Tags (1)
1 ACCEPTED SOLUTION

kryan
NetApp
‎2019-02-13 08:45 AM
5,536 Views
A support case is the recommended action to resolve items from a scanner report.

Anyone prioritizing security for 7-Mode ONTAP should be targeting the latest P release of 8.2.5.

These CVEs cover JBoss and HP ProCurve Manager, none of which is shipped in ONTAP.
https://nvd.nist.gov/vuln/detail/CVE-2007-1036
https://nvd.nist.gov/vuln/detail/CVE-2012-0874
https://nvd.nist.gov/vuln/detail/CVE-2013-4810

View solution in original post

0 Kudos
4 REPLIES 4

JGPSHNTAP
‎2019-02-12 05:36 AM
5,639 Views

Time to upgrade to 8.2.5p2

0 Kudos

prajyot123
‎2019-02-12 11:47 PM
In response to JGPSHNTAP
5,576 Views

Thank you very much  team , but could you also  help me with any technote which could justify the same 

 

 

Thanks & Regards

Prajyot Katakdound

prajyot.katakdound.wg@hitachi-systems.com

 

0 Kudos

paul_stejskal
NetApp
‎2019-02-13 07:22 AM
In response to prajyot123
5,544 Views

Please check https://security.netapp.com/advisory/. If it's not listed here, I'd open a Support case.

0 Kudos

kryan
NetApp
‎2019-02-13 08:45 AM
5,537 Views
A support case is the recommended action to resolve items from a scanner report.

Anyone prioritizing security for 7-Mode ONTAP should be targeting the latest P release of 8.2.5.

These CVEs cover JBoss and HP ProCurve Manager, none of which is shipped in ONTAP.
https://nvd.nist.gov/vuln/detail/CVE-2007-1036
https://nvd.nist.gov/vuln/detail/CVE-2012-0874
https://nvd.nist.gov/vuln/detail/CVE-2013-4810
0 Kudos
All Community Forums
Public