Accepted Solution

DFM and apache vulnerabilities


I am going through some security audits and I am curious how netapp OnCommand DFM handles apache vulnerabilities.

I have OnCommand Core Package (5.0); which seems to use Apache/2.2.10 (Win32) mod_ssl/2.2.10 OpenSSL/0.9.8e

I can see that DFM does not pack in very many libraries or apache modules, so that seems to me that it really limits the potential for vulnerabilities to surface in OnCommand's apache.

But I have to answer security team on questions like:

CVE-2011-3192 published 2011-08-29

Affected Apache = < 2.2.19

On the surface, security team says Vulnerable because On Command DFM is at 2.2.10 (i.e. "vulnerable")

I need to verify my thought process.

1. I assume Netapp branched off its own apache at 2.2.10 and is doing its own thing? so the only safe way for me to patch apache for DFM is to "patch OnCommand Core Package"?

2. As long as I have the latest OnCommand Core Package revision installed then I have the newest and least vulnerable httpd offered by netapp?

3. Is the latest version?

4. Also, there are vulnerabilities that I need to address like vulns in mod_dav. Is is sound to say that because the apache with OnCommand does not even have mod_dav then I do not really need to care about the patch?

thanks very much. I appreciate any feedback.

Re: DFM and apache vulnerabilities


Please open a support case to attach to bug 530008.  A patch request is already in place for OnCommand 5.0 so another is not needed at this time. 

Apache 2.2.10 is the version in all shipping versions of DFM and OnCommand. You should not attempt to upgrade Apache manually - this is not supported.

This patch will upgrade Apache from 2.2.10 to 2.2.21 within OnCommand 5.0.  There will also be a DFM 4.x patch updating Apache to 2.2.21 under bug 532848.