Andris, we have been looking a for a while regarding this same CVE. The notes all state that this has been fixed in newer releases on OnTap, but additional scans to the Netapp devices still show they are running OpenSSH 7.2. Was this fixed via a backport? If not, how was it fixed. If it is fixed with a backport, is there any official documentation stating this?
It is not uncommon for third party to be patched rather than upgraded in ONTAP. Therefore scan results identified using detected third party software versions can often be incorrect. I am unaware of any ONTAP documentation that covers updating third party code versus patching it. As each security advisory states, they "should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.". Advisory ntap-20171130-0002 covers CVE-2016-10012, CVE-2016-10011, CVE-2016-10010, and CVE-2016-10009 and it reflects that ONTAP 8.2.5 is the first fixed-in release for these CVEs.