{"status":"success","advisory":{"_id":"683547245b16347a91c39d87","kb_acknowledgements":null,"kb_affected_list":["NetApp Cloud Backup (formerly AltaVault)","ONTAP Select Deploy administration utility"],"kb_bad_data":false,"kb_cve":["CVE-2019-3855","CVE-2019-3856","CVE-2019-3857","CVE-2019-3858","CVE-2019-3859","CVE-2019-3860","CVE-2019-3861","CVE-2019-3862","CVE-2019-3863"],"kb_exploitation":"Public","kb_fixes":[{"product":"NetApp Cloud Backup (formerly AltaVault)","fixes":[],"instructions":null,"wontfix":true,"eos_link":"https://mysupport.netapp.com/info/communications/ECMLP2880179.html"},{"product":"ONTAP Select Deploy administration utility","fixes":[{"link":"https://mysupport.netapp.com/site/products/all/details/ontapselect-deploy/downloads-tab/download/62910/9.7","cves":[]}],"instructions":"","wontfix":false,"eos_link":null}],"kb_impact":"Successful exploitation of these vulnerabilities could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).\r\n<br><br>\r\nE-Series SANtricity OS Controller Software 11.x is not affected in its default configuration with remote login disabled.","kb_internal_notes":[{"burt":"1227375","jira":"","product":"E-Series SANtricity OS Controller Software 11.x"},{"burt":"1227376","jira":"","product":"NetApp Cloud Backup (formerly AltaVault)"},{"burt":"","jira":"","product":"NetApp HCI Compute Node (Bootstrap OS)"},{"burt":"","jira":"","product":"NetApp HCI Storage Nodes"},{"burt":"","jira":"","product":"NetApp SolidFire & HCI Management Node"},{"burt":"","jira":"","product":"NetApp SolidFire & HCI Storage Node (Element Software)"},{"burt":"1227377","jira":"","product":"NetApp VASA Provider for Clustered Data ONTAP 9.7 and above"},{"burt":"1227378","jira":"","product":"ONTAP Select Deploy administration utility"},{"burt":"1227379","jira":"","product":"StorageGRID (formerly StorageGRID Webscale)"}],"kb_investigating_list":[],"kb_num":"9010000","kb_ref":["https://www.libssh2.org/CVE-2019-3855.html","https://www.libssh2.org/CVE-2019-3856.html","https://www.libssh2.org/CVE-2019-3857.html","https://www.libssh2.org/CVE-2019-3858.html","https://www.libssh2.org/CVE-2019-3859.html","https://www.libssh2.org/CVE-2019-3860.html","https://www.libssh2.org/CVE-2019-3861.html","https://www.libssh2.org/CVE-2019-3862.html","https://www.libssh2.org/CVE-2019-3863.html"],"kb_rev_history":[{"comment":"Initial Public Release","date":"20190327","version":"1.0"},{"comment":"NetApp VASA Provider for Clustered Data ONTAP 7.2 and above moved to Products Not Affected","date":"20190328","version":"2.0"},{"comment":"NetApp Cloud Backup (formerly AltaVault) moved to Affected Products","date":"20190404","version":"3.0"},{"comment":"NetApp Cloud Backup (formerly AltaVault) added to Software Versions and Fixes","date":"20191119","version":"4.0"},{"comment":"After additional review NetApp Cloud Backup (formerly AltaVault) moved to Affected Products","date":"20210324","version":"5.0"},{"comment":"NetApp Cloud Backup (formerly AltaVault) moved to Won't Fix status","date":"20220106","version":"6.0"},{"comment":"ONTAP Select Deploy administration utility added to Software Versions and Fixes, Final status","date":"20240425","version":"7.0"}],"kb_revised_list":[],"kb_scoring":{"CVE-2019-3855":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","CVE-2019-3856":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","CVE-2019-3857":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","CVE-2019-3858":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","CVE-2019-3859":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","CVE-2019-3860":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","CVE-2019-3861":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","CVE-2019-3862":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","CVE-2019-3863":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},"kb_scoring_calc":[{"cve_id":"CVE-2019-3855","range":"HIGH","score":7.5,"vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"cve_id":"CVE-2019-3856","range":"HIGH","score":7.5,"vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"cve_id":"CVE-2019-3857","range":"HIGH","score":7.5,"vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"cve_id":"CVE-2019-3858","range":"MEDIUM","score":5.0,"vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"cve_id":"CVE-2019-3859","range":"MEDIUM","score":5.0,"vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"cve_id":"CVE-2019-3860","range":"MEDIUM","score":5.0,"vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"cve_id":"CVE-2019-3861","range":"MEDIUM","score":5.0,"vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"cve_id":"CVE-2019-3862","range":"HIGH","score":7.3,"vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"cve_id":"CVE-2019-3863","range":"HIGH","score":7.5,"vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"kb_status":"Final","kb_summary":"Multiple NetApp products incorporate the libssh2. Libssh2 versions through 1.8.0 are susceptible to vulnerabilities which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).","kb_title":"March 2019 Libssh2 Vulnerabilities in NetApp Products","kb_unaffected_list":["Active IQ Unified Manager for Linux","Active IQ Unified Manager for Microsoft Windows","Active IQ Unified Manager for VMware vSphere","Active IQ mobile app","Astra Trident","Brocade Fabric Operating System Firmware","E-Series SANtricity OS Controller Software 11.x","E-Series SANtricity Unified Manager and Web Services Proxy","Element Plug-in for vCenter Server","FAS/AFF BIOS - 8300/8700/A400/C400","FAS/AFF Baseboard Management Controller (BMC) - C190/A150/A220/FAS2720/FAS2750","Host Utilities - SAN for Linux","Host Utilities - SAN for Windows","IOM6 SAS Disk Shelf Firmware","MetroCluster Tiebreaker for clustered Data ONTAP","NetApp BlueXP","NetApp Converged Systems Advisor Agent","NetApp HCI Compute Node (Bootstrap OS)","NetApp HCI Compute Node BIOS","NetApp HCI Storage Nodes","NetApp Manageability SDK","NetApp NFS Plug-in for VMware VAAI","NetApp ONTAP PowerShell Toolkit (PSTK)","NetApp SolidFire & HCI Management Node","NetApp SolidFire & HCI Storage Node (Element Software)","NetApp VASA Provider for Clustered Data ONTAP 9.7 and above","ONTAP 9 (formerly Clustered Data ONTAP)","ONTAP Antivirus Connector","OnCommand Insight","OnCommand Workflow Automation","Single Mailbox Recovery","Snap Creator Framework","SnapCenter","SnapManager for Hyper-V","StorageGRID (formerly StorageGRID Webscale)","StorageGRID Baseboard Management Controller (BMC)","System Manager 9.x"],"kb_workarounds":"None at this time.","ntap_advisory_id":"NTAP-20190327-0005","adv_id":"ntap-20190327-0005","published_date":"2019-03-27T00:00:00","updated_date":"2024-04-25T00:00:00","inserted_date":"2025-05-27T05:01:24.824000","modified_date":null}}