{"status":"success","advisory":{"_id":"683547245b16347a91c39d64","kb_acknowledgements":null,"kb_affected_list":["NetApp Cloud Backup (formerly AltaVault)","NetApp SolidFire & HCI Management Node","NetApp SteelStore Cloud Integrated Storage","ONTAP Select Deploy administration utility"],"kb_bad_data":false,"kb_cve":["CVE-2019-6109","CVE-2019-6110","CVE-2019-6111"],"kb_exploitation":"Public","kb_fixes":[{"product":"NetApp SolidFire & HCI Management Node","fixes":[{"link":"https://mysupport.netapp.com/site/products/all/details/element-software/downloads-tab/download/62654/12.0","cves":[]},{"link":"https://mysupport.netapp.com/site/products/all/details/netapp-hci/downloads-tab/download/62542/1.8","cves":[]}],"instructions":"","wontfix":false,"eos_link":null},{"product":"NetApp Cloud Backup (formerly AltaVault)","fixes":[],"instructions":null,"wontfix":true,"eos_link":"https://mysupport.netapp.com/info/communications/ECMLP2880179.html"},{"product":"NetApp SteelStore Cloud Integrated Storage","fixes":[],"instructions":null,"wontfix":true,"eos_link":"https://mysupport.netapp.com/info/communications/ECMLP2397079.html"},{"product":"ONTAP Select Deploy administration utility","fixes":[{"link":"https://mysupport.netapp.com/site/products/all/details/ontapselect-deploy/downloads-tab/download/62910/9.7","cves":[]}],"instructions":"CVE-2019-6109 and CVE-2019-6111 were fixed under bug 1212158. CVE-2019-6110 remains unfixed as the upstream maintainer has not fixed it. Exploit of CVE-2019-6110 requires a user to connect to a malicious SSH server or a MITM (Man-in-the-middle) of the scp connection.","wontfix":false,"eos_link":null}],"kb_impact":"Successful exploitation of these vulnerabilities could lead to disclosure of sensitive information or the addition or modification of data.","kb_internal_notes":[{"burt":"1212375","jira":"","product":"Active IQ Unified Manager for VMware vSphere"},{"burt":"1212368","jira":"","product":"Cluster Network Switch (NetApp CN1610)"},{"burt":"1212369","jira":"","product":"Data ONTAP operating in 7-Mode"},{"burt":"1212366","jira":"","product":"FAS/AFF Baseboard Management Controller (BMC) - C190/A150/A220/FAS2720/FAS2750"},{"burt":"1212377","jira":"","product":"FAS/AFF Service Processor - 8080/8060/8040/8020"},{"burt":"1212372","jira":"","product":"NetApp Cloud Backup (formerly AltaVault)"},{"burt":"","jira":"","product":"NetApp HCI Compute Node (Bootstrap OS)"},{"burt":"","jira":"","product":"NetApp HCI Storage Nodes"},{"burt":"","jira":"","product":"NetApp SolidFire & HCI Management Node"},{"burt":"","jira":"","product":"NetApp SolidFire & HCI Storage Node (Element Software)"},{"burt":"1212371","jira":"","product":"NetApp SteelStore Cloud Integrated Storage"},{"burt":"1212373","jira":"","product":"NetApp VASA Provider for Clustered Data ONTAP 9.7 and above"},{"burt":"1212367","jira":"","product":"ONTAP 9 (formerly Clustered Data ONTAP)"},{"burt":"1212376","jira":"","product":"ONTAP Select Deploy administration utility"},{"burt":"1212374","jira":"","product":"OnCommand Unified Manager Core Package"},{"burt":"1212370","jira":"","product":"Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere 9.7 and above"},{"burt":"1212381","jira":"","product":"StorageGRID (formerly StorageGRID Webscale)"},{"burt":"1212379","jira":"","product":"StorageGRID9 (9.x and prior)"},{"burt":"1212382","jira":"","product":"Virtual Storage Console for VMware vSphere 9.7 and above"}],"kb_investigating_list":[],"kb_num":"9010000","kb_ref":["https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt"],"kb_rev_history":[{"comment":"Initial Public Release","date":"20190213","version":"1.0"},{"comment":"Clustered Data ONTAP moved to Products Not Affected","date":"20190423","version":"2.0"},{"comment":"Cluster Network Switch (NetApp CN1610) moved to Won't Fix status","date":"20190731","version":"3.0"},{"comment":"NetApp Cloud Backup (formerly AltaVault), NetApp SteelStore Cloud Integrated Storage moved to Affected Products","date":"20190926","version":"4.0"},{"comment":"Cluster Network Switch (NetApp CN1610) moved to Not Affected status since it ships a version of OpenSSH older than 7.9","date":"20200402","version":"5.0"},{"comment":"NetApp SolidFire & HCI Management Node added to Software Versions and Fixes","date":"20200818","version":"6.0"},{"comment":"NetApp SteelStore Cloud Integrated Storage moved to Won't Fix status","date":"20200901","version":"7.0"},{"comment":"ONTAP Select Deploy administration utility moved to Won't Fix status","date":"20210504","version":"8.0"},{"comment":"NetApp Cloud Backup (formerly AltaVault) moved to Won't Fix status, Final status","date":"20220106","version":"9.0"},{"comment":"After additional review ONTAP Select Deploy administration utility added to Software Versions and Fixes with note regarding unfixed CVE, remains Final status","date":"20240614","version":"10.0"}],"kb_revised_list":[],"kb_scoring":{"CVE-2019-6109":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N","CVE-2019-6110":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N","CVE-2019-6111":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},"kb_scoring_calc":[{"cve_id":"CVE-2019-6109","range":"MEDIUM","score":4.2,"vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"cve_id":"CVE-2019-6110","range":"LOW","score":3.1,"vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"cve_id":"CVE-2019-6111","range":"MEDIUM","score":5.3,"vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"kb_status":"Final","kb_summary":"Multiple NetApp products incorporate OpenSSH software libraries. OpenSSH versions through 7.9 are susceptible to vulnerabilities which when successfully exploited could lead to disclosure of sensitive information or the addition or modification of data.","kb_title":"January 2019 OpenSSH Vulnerabilities in NetApp Products","kb_unaffected_list":["Active IQ Unified Manager for Linux","Active IQ Unified Manager for Microsoft Windows","Active IQ Unified Manager for VMware vSphere","Active IQ mobile app","Astra Trident","Brocade Fabric Operating System Firmware","Cluster Network Switch (NetApp CN1610)","Data ONTAP operating in 7-Mode","E-Series SANtricity OS Controller Software 11.x","E-Series SANtricity Unified Manager and Web Services Proxy","Element Plug-in for vCenter Server","FAS/AFF BIOS - 8300/8700/A400/C400","FAS/AFF Baseboard Management Controller (BMC) - C190/A150/A220/FAS2720/FAS2750","FAS/AFF Service Processor - 8080/8060/8040/8020","Host Utilities - SAN for Linux","Host Utilities - SAN for Windows","IOM6 SAS Disk Shelf Firmware","MetroCluster Tiebreaker for clustered Data ONTAP","NetApp BlueXP","NetApp Converged Systems Advisor Agent","NetApp HCI Compute Node (Bootstrap OS)","NetApp HCI Compute Node BIOS","NetApp HCI Storage Nodes","NetApp Manageability SDK","NetApp NFS Plug-in for VMware VAAI","NetApp ONTAP PowerShell Toolkit (PSTK)","NetApp SolidFire & HCI Storage Node (Element Software)","NetApp VASA Provider for Clustered Data ONTAP 9.7 and above","ONTAP 9 (formerly Clustered Data ONTAP)","ONTAP Antivirus Connector","OnCommand Insight","OnCommand Unified Manager Core Package","OnCommand Workflow Automation","Single Mailbox Recovery","Snap Creator Framework","SnapCenter","SnapManager for Hyper-V","Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere 9.7 and above","StorageGRID (formerly StorageGRID Webscale)","StorageGRID Baseboard Management Controller (BMC) - SG6060/SG6160/SGF6024/SGF6112/SG100/SG110/SG1000/SG1100","StorageGRID9 (9.x and prior)","System Manager 9.x","Virtual Storage Console for VMware vSphere 9.7 and above"],"kb_workarounds":"None at this time.","ntap_advisory_id":"NTAP-20190213-0001","adv_id":"ntap-20190213-0001","published_date":"2019-02-13T00:00:00","updated_date":"2024-06-14T00:00:00","inserted_date":"2025-05-27T05:01:24.243000","modified_date":null}}