Summary

Multiple NetApp products utilize the TLS protocol. Any system using the TLS protocol with 64-bit block ciphers that are used in long running connections are vulnerable to a birthday attack referred to as SWEET32. When exploited, the vulnerability may lead to the unauthorized disclosure of information. This bulletin will be updated as additional information becomes available.

Impact

Exploitation of this vulnerability may lead to unauthorized disclosure of information.

Vulnerability Scoring Details

Exploitation and Public Announcements

NetApp is aware of public discussion of this vulnerability.

References

• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2183
• https://sweet32.info/
• https://www.openssl.org/blog/blog/2016/08/24/sweet32

Affected Products

• 7-Mode Transition Tool
• AFF Baseboard Management Controller (BMC) - A700s
• Brocade Fabric Operating System Firmware
• Brocade Network Advisor Software
• Cloud Manager
• Clustered Data ONTAP
• Data ONTAP PowerShell Toolkit
• Data ONTAP operating in 7-Mode
• E-Series SANtricity Storage Manager
• NetApp Cloud Backup (formerly AltaVault)
• NetApp Host Agent
• NetApp Manageability SDK
• NetApp Plug-in for Symantec NetBackup
• NetApp SMI-S Provider
• NetApp SolidFire, Enterprise SDS & HCI Storage Node (Element Software)
• NetApp VASA Provider for Clustered Data ONTAP 9.7 and above
• ONTAP Select Deploy administration utility
• OnCommand Insight
• OnCommand Shift
• OnCommand Unified Manager Core Package
• OnCommand Workflow Automation
• Open Systems SnapVault Agent
• Perfstat
• RBAC User Creator for Data ONTAP
• Service Processor
• Snap Creator Framework
• SnapCenter
• SnapCenter Plug-in for VMware vSphere
• SnapDrive for Unix
• SnapDrive for Windows
• SnapProtect
• Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere 9.7 and above
• StorageGRID (formerly StorageGRID Webscale)
• StorageGRID9 (9.x and prior)
• System Setup
• Virtual Storage Console for VMware vSphere 6.x
• Virtual Storage Console for VMware vSphere 9.7 and above

Products Not Affected

• ATTO FibreBridge - 6500N
• Cluster Network Switch (NetApp CN1610)
• Clustered Data ONTAP Antivirus Connector
• E-Series SANtricity Management Plug-ins (VMware VASA (Windows))
• E-Series SANtricity Management Plug-ins (VMware vCenter (Linux))
• E-Series SANtricity Management Plug-ins (VMware vCenter)
• E-Series SANtricity Web Services (REST API) for Web Services Proxy
• FAS/AFF BIOS
• Host Utilities - SAN for Linux
• Host Utilities - SAN for Windows
• Management Network Switch (NetApp CN1601)
• MetroCluster Tiebreaker for clustered Data ONTAP
• NetApp Cloud Backup OST Plug-in (formerly AltaVault OST Plug-in)
• NetApp NFS Plug-in for VMware VAAI
• NetApp SANtricity SMI-S Provider
• NetApp Storage Encryption
• OnCommand API Services
• OnCommand Balance
• OnCommand Performance Manager (Unified Manager Performance Pkg)
• OnCommand Plug-in for Microsoft
• OnCommand Unified Manager for Clustered Data ONTAP
• Single Mailbox Recovery
• SnapManager for Hyper-V
• SnapManager for Oracle
• SnapManager for SAP
• SnapManager for Sharepoint
• Storage Replication Adapter for Data ONTAP operating in 7-Mode 2.1
• Storage Services Connector
• System Manager 9.x

Software Versions and Fixes

NetApp's currently available patches are listed below.

Workarounds

• Clustered Data ONTAP: Beginning with version 9.0 ciphers can be manually disabled using the "security config" command:

::*> security config modify -supported-ciphers CURRENT_CIPHER_STRING:!3DES:!DES
Note that "!DES" is only necessary if "!LOW" is not already present, which it is by default.

• Data ONTAP operating in 7-Mode: Beginning with version 8.2.5 the "high_security.enable" option will enable only the TLS v1.1 and v1.2 protocols which do not support the 3DES-CBC cipher.

• OnCommand Insight: https://kb.netapp.com/support/s/article/How-to-use-IBM-Cognos-configuration-application-edit-Supported-ciphersuites-setting-to-remove-3DES

• System Setup: Disable the 3DES and DES ciphers using https://support.microsoft.com/en-in/kb/245030.

• OnCommand Workflow Automation:
1. Stop all of the WFA services.
2. Make a backup copy and then edit this file: C:\Program Files\NetApp\WFA\jboss\standalone\configuration\standalone-full.xml
3. Search for https-listner in the standalone-full.xml file.
4. Remove all of the 3DES cipher suites in the 'enabled-cipher-suites' attribute.
5. Save and close the standalone-full.xml file.
6. Start the WFA services and make sure all the binaries have deployed successfully under the C:\Program Files\NetApp\WFA\jboss\standalone\deployments folder.
7. Run manual acquisition from all the added data sources and ensure that all the acquisitions have finished without any issues.

Obtaining Software Fixes

Software fixes will be made available through the NetApp Support website in the Software Download section.

https://mysupport.netapp.com/site/downloads/

Customers who do not have access to the Support website should contact Technical Support at the number below to obtain the patches.

Contact Information

Check http://mysupport.netapp.com for further updates.
For questions, contact NetApp at:

Technical Support
mysupport.netapp.com
1 888 4 NETAPP (1 888 463 8277) (U.S. and Canada)
+00 800 44 638277 (EMEA/Europe)
+800 800 80 800 (Asia/Pacific)

Status of This Notice

Final.

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions.

This advisory is posted at the following link:
https://security.netapp.com/advisory/NTAP-20160915-0001

Revision History