If this is for 7-Mode ONTAP I'd suggest opening a support case. ... View more

In order to resolve the CSP Nessus result on port 443, open a support case and ask for assistance with the workaround for bug 1200750. ... View more

Please confirm that this is the result you are observing:   https://www.tenable.com/plugins/nessus/50344 Plugin #50344 Info Missing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header Description The remote web server in some responses sets a permissive Content-Security-Policy (CSP) frame-ancestors response header or does not set one at all. The CSP frame-ancestors header has been proposed by the W3C Web Application Security Working Group as a way to mitigate cross-site scripting and clickjacking attacks. Solution Set a non-permissive Content-Security-Policy frame-ancestors header for all requested resources. ... View more

Please provide the Nessus plugin from the result. ... View more

Have you opened a support case where additional data might be found? If not, please share the source of this finding and the CVSS score vectors. ... View more

Which version of ONTAP does this information pertain to? ... View more

NetApp Security Advisories (CVEs) have been moved https://kb.netapp.com/app/answers/answer_view/a_id/1072814 ... View more

https://security.netapp.com/advisory/ntap-20160519-0001/   The security advisory shows clustered ONTAP as fixed for those OpenSSH CVEs. ... View more

Setting the ssl.enable option to "on" enables SSL usage and has nothing to do with SSL v1.   You must set ssl.enable to on in order to use the other ssl and tls options. https://kb.netapp.com/support/index?page=content&id=1015015 https://library.netapp.com/ecmdocs/ECMP1155684/html/GUID-20073505-6C40-4A9B-85D9-D398C2991102.html     FYI - ONTAP 8.2.5 (7-Mode only) adds supports for TSL v1.1 and v1.2. ... View more

ONTAP version 8.2.5 (7-Mode only) posted today and adds the ability to disable SMBv1 server and client. ... View more

Thanks for the info on the generic "disable SMBv1" warning.   As of today (7/12/2017) it is not completely possible to disable SMBv1 for client access on any version of ONTAP other than 9.2. However, there are plans to add that capability to an existing LTS 9.x release and an upcoming 7-Mode release as well. ... View more

You will need to upgrade ONTAP to 8.3.2P4+: https://kb.netapp.com/support/s/article/cve-2015-8020-default-privileged-account-credentials-vulnerability-in-in-clustered-data-ontap ... View more

This version of ONTAP only support TLS 1.0 (& SSLv3).  Enabling FIPS 140-2 mode for web services will disable some ciphers, including RC4.     SSH is more configurable in this release - per the sysadmin guide: https://library.netapp.com/ecm/ecm_download_file/ECMP12458569   Data ONTAP supports OpenSSH client version 5.4p1 and OpenSSH server version 5.4p1. Only the SSH v2 protocol is supported; SSH v1 is not supported. • Data ONTAP supports a maximum of 64 concurrent SSH sessions per node. If the cluster management LIF resides on the node, it shares this limit with the node management LIF. If the rate of incoming connections is higher than 10 per second, the service is temporarily disabled for 60 seconds. • Data ONTAP supports only the AES and 3DES encryption algorithms (also known as ciphers) for SSH. AES is supported with 128, 192, and 256 bits in key length. 3DES is 56 bits in key length as in the original DES, but it is repeated three times.   Data ONTAP supports the following SSH security configurations for the cluster and SVMs: • The following SSH key exchange algorithms are supported and enabled by default: ◦ The diffie-hellman-group-exchange-sha256 SSH key exchange algorithm for SHA-2 ◦ The diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1 SSH key exchange algorithms for SHA-1 SHA-2 algorithms are more secure than SHA-1 algorithms. Data ONTAP, which serves as an SSH server, automatically selects the most secure SSH key exchange algorithm that matches the client. To further enhance SSH security, you can manually disable the SHA-1 algorithms and leave only the SHA-2 algorithm enabled. • For ciphers, the following counter (CTR) mode and cipher block chaining (CBC) mode of the AES and 3DES symmetric encryptions are supported and enabled by default: ◦ aes256-ctr Managing access to the cluster (cluster administrators only) | 135 ◦ aes192-ctr ◦ aes128-ctr ◦ aes256-cbc ◦ aes192-cbc ◦ aes128-cbc ◦ 3des-cbc The CTR mode ciphers are more secure than the CBC mode ciphers. Among ciphers of the same mode, the higher the key size, the more secure the cipher. Of the ciphers supported by Data ONTAP, aes256-ctr is the most secure, and 3des-cbc is the least secure. You can manage the SSH key exchange algorithms and ciphers for the cluster and SVMs...   ... View more

SSH cipher management is also covered in "System Administration Guide for Cluster Administrators".   The 8.2.2 doc: https://library.netapp.com/ecm/ecm_download_file/ECMP1636068 ... View more

TLS v1.0 is the latest version supported in 8.3.x and either mode of 8.2.x Data ONTAP. ... View more

When a fix is posted for a product the KB (Security Advisory) will be updated.  If you subscribe to that KB or the entire Product Security area you will be notificed when updates are published.   As far as I am aware, OnCommand Balance has not yet reached End of Support status and therefore will be fixed.   ... View more

OnCommand Balance has not yet been fixed for that CVE: https://kb.netapp.com/support/index?page=content&id=9010039   ... View more