CVE-2014-3566 SSL v3.0 Nondeterministic CBC Padding Vulnerability in Multiple NetApp Products

circle-check-alt This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.

Summary

Multiple NetApp products incorporate the OpenSSL software libraries to provide cryptographic capabilities. The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a vulnerability also known as POODLE. NetApp is investigating which products use SSL v3.0. Known workarounds include disabling SSL v3.0 and/or forcing the use of TLS only. This advisory will be updated as additional information becomes available.

Impact

Exploitation of this vulnerability may lead to unauthorized disclosure of information.

Vulnerability Scoring Details

CVE Score Vector
CVE-2014-3566 3.4 (LOW) CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Exploitation and Public Announcements

NetApp is aware of public discussion of this vulnerability.

References

Affected Products

  • 7-Mode Transition Tool
  • Brocade Data Center Fabric Manager Professional Software
  • Brocade Fabric Operating System Firmware
  • Brocade Network Advisor Software
  • Cluster Network Switch (NetApp CN1610)
  • Clustered Data ONTAP
  • Clustered Data ONTAP Antivirus Connector
  • Data ONTAP PowerShell Toolkit
  • Data ONTAP operating in 7-Mode
  • FlashRay
  • NetApp Host Agent
  • NetApp Manageability SDK
  • NetApp Plug-in for Symantec NetBackup
  • NetApp Recovery Manager for Citrix Sharefile
  • NetApp SMI-S Provider
  • NetApp VASA Provider for Clustered Data ONTAP 7.2 and above
  • NetApp VASA Provider for Data ONTAP operating in 7-Mode
  • NetApp VTL
  • OnCommand Balance
  • OnCommand Insight
  • OnCommand Performance Manager (Unified Manager Performance Pkg)
  • OnCommand Plug-in for Microsoft
  • OnCommand Report
  • OnCommand System Manager 9.x
  • OnCommand Unified Manager Host Package
  • OnCommand Unified Manager for 7-Mode (core package)
  • OnCommand Unified Manager for Clustered Data ONTAP
  • OnCommand Workflow Automation
  • Open Systems SnapVault Agent
  • RapidData Migration Solution
  • Service Processor
  • Snap Creator Framework
  • SnapDrive for Unix
  • SnapDrive for Windows
  • SnapManager for Oracle
  • SnapManager for SAP
  • SnapManager for Sharepoint
  • SnapProtect
  • Storage Replication Adapter for Data ONTAP operating in 7-Mode 2.1
  • Virtual Storage Console for Citrix XenServer
  • Virtual Storage Console for Red Hat Enterprise Virtualization
  • Virtual Storage Console for VMware vSphere 7.2 and above

Products Not Affected

  • ATTO FibreBridge
  • Data Migration Appliance DTA2800 (DTA Firmware)
  • Data ONTAP Edge
  • E-Series SANtricity Storage Manager
  • E-Series SANtricity Web Services (REST API) for Web Services Proxy
  • FAS/AFF BIOS
  • Host Utilities - SAN for ESX
  • Host Utilities - SAN for Linux
  • Host Utilities - SAN for Windows
  • MetroCluster Plug-in for vSphere
  • Multipath I/O (Data ONTAP DSM for Windows MPIO)
  • NetApp Cloud Backup (formerly AltaVault)
  • NetApp NFS Plug-in for VMware VAAI
  • NetApp SANtricity SMI-S Provider
  • NetApp Storage Encryption
  • OnCommand Cloud Manager
  • RAID Controller CTS2600 Legacy Engenio
  • Single Mailbox Recovery
  • SnapManager for Exchange
  • SnapManager for Hyper-V
  • SnapManager for MS SQL
  • Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere 7.2 and above
  • Storage Services Connector
  • StorageGRID (formerly StorageGRID Webscale)
  • StorageGRID9 (9.x and prior)
  • System Setup

Software Versions and Fixes

NetApp's currently available patches are listed below.


Product First Fixed in Release
Data ONTAP PowerShell Toolkit http://mysupport.netapp.com/tools/info/ECMLP2310788I.html?productID=61926
OnCommand Unified Manager for 7-Mode (core package) https://mysupport.netapp.com/NOW/download/software/occore_win/5.2.1/
https://mysupport.netapp.com/NOW/download/software/occore_lin/5.2.1/

After upgrading, SSLv2 and SSLv3 must be disabled: https://kb.netapp.com/support/index?page=content&id=3014517
NetApp Recovery Manager for Citrix Sharefile NetApp Recovery Manager for Citrix Sharefile has no plans to address this vulnerability.
Clustered Data ONTAP
Enable TLS then disable SSLv2 and v3 in ONTAP using the following KB article: https://kb.netapp.com/support/index?page=content&id=1015015
SnapDrive for Unix http://mysupport.netapp.com/NOW/download/software/snapdrive_redhatlinux/5.3/
SnapDrive for Windows http://mysupport.netapp.com/NOW/download/software/snapdrive_win/7.1.2/
NetApp SMI-S Provider http://mysupport.netapp.com/NOW/download/software/smis/Windows/5.2.2/
http://mysupport.netapp.com/NOW/download/software/smis/Linux/5.2.2/
OnCommand Unified Manager for Clustered Data ONTAP http://mysupport.netapp.com/NOW/download/software/oncommand_cdot/6.3/
http://mysupport.netapp.com/NOW/download/software/oncommand_cdot_lin/6.3/
Storage Replication Adapter for Data ONTAP operating in 7-Mode 2.1
To use exclusively TLS, an upgrade to SRM 6.0 is required along with enabling SSL communication using KB 1012531: https://kb.netapp.com/support/index?page=content&id=1012531
Snap Creator Framework http://mysupport.netapp.com/NOW/download/software/snapcreator_framework/4.3/

SCF supports TLS when communicating with Data ONTAP when SSL v3 is disabled within Java on both the SCF Server and Agent hosts and after enabling TLS in ONTAP.
7-Mode Transition Tool http://mysupport.netapp.com/NOW/download/software/ntap_7mtt/2.0/
Brocade Data Center Fabric Manager Professional Software Brocade Data Center Fabric Manager Professional Software has no plans to address this vulnerability. See the EOA announcement for more information.
OnCommand Performance Manager (Unified Manager Performance Pkg) http://mysupport.netapp.com/NOW/download/software/oncommand_pm/1.0R2/
NetApp Host Agent NetApp Host Agent has no plans to address this vulnerability. See the EOA announcement for more information.
NetApp VASA Provider for Clustered Data ONTAP 7.2 and above http://mysupport.netapp.com/NOW/download/software/vasa_cdot/5.0P1/
OnCommand Workflow Automation http://mysupport.netapp.com/NOW/download/software/ocwfa/3.0/
SnapManager for SAP http://mysupport.netapp.com/NOW/download/software/snapmanager_sap_unix/3.4/
http://mysupport.netapp.com/NOW/download/software/snapmanager_sap_win/3.4/
Clustered Data ONTAP Antivirus Connector http://mysupport.netapp.com/NOW/download/software/ontap_av_connector/1.0.3/
Cluster Network Switch (NetApp CN1610) http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/NetApp/cn1610cm/bin/NetApp_CN1610_1.1.0.8.stk
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/NetApp/cn1610cm/bin/NetApp_CN1610_1.1.0.8-mibs.tar.bz2
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/NetApp/cn1610cm/bin/NetApp_CN1610_1.2.0.1.stk
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/NetApp/cn1610cm/bin/NetApp_CN1610_1.2.0.1-mibs.tar.bz2
OnCommand Unified Manager Host Package OnCommand Unified Manager Host Package has no plans to address this vulnerability. See the EOA announcement for more information.
Virtual Storage Console for VMware vSphere 7.2 and above http://mysupport.netapp.com/NOW/download/software/vsc_win/6.0/
OnCommand Insight http://mysupport.netapp.com/NOW/download/software/sanscreen/7.1/
SnapManager for Oracle http://mysupport.netapp.com/NOW/download/software/snapmanager_oracle_unix/3.4/
http://mysupport.netapp.com/NOW/download/software/snapmanager_oracle_win/3.4/
OnCommand Report OnCommand Report has no plans to address this vulnerability. See the EOA announcement for more information.
Open Systems SnapVault Agent http://mysupport.netapp.com/NOW/download/software/snapvault_oss/aix/3.0.1P6/
http://mysupport.netapp.com/NOW/download/software/snapvault_oss/hpux/3.0.1P6/
http://mysupport.netapp.com/NOW/download/software/snapvault_oss/linux/3.0.1P6/
http://mysupport.netapp.com/NOW/download/software/snapvault_oss/sol/3.0.1P6/
http://mysupport.netapp.com/NOW/download/software/snapvault_oss/solx86/3.0.1P6/
http://mysupport.netapp.com/NOW/download/software/snapvault_oss/esx/3.0.1P6/
http://mysupport.netapp.com/NOW/download/software/snapvault_oss/win2003/3.0.1P6/
http://mysupport.netapp.com/NOW/download/software/snapvault_oss/win2008/3.0.1P6/
Brocade Network Advisor Software https://www.broadcom.com/products/fibre-channel-networking/software/brocade-network-advisor
SnapManager for Sharepoint
Disable SSLv2 and SSLv3 in SnapManager for SharePoint (SMSP) https://kb.netapp.com/support/index?page=content&id=3014544
Data ONTAP operating in 7-Mode
Enable TLS then disable SSLv2 and v3 in ONTAP using the following KB article: https://kb.netapp.com/support/index?page=content&id=1015015
NetApp Plug-in for Symantec NetBackup https://mysupport.netapp.com/NOW/download/software/nbu_plugin_lin/1.1P1/
https://mysupport.netapp.com/NOW/download/software/nbu_plugin_win/1.1P1/
FlashRay FlashRay has no plans to address this vulnerability. See the EOA announcement for more information.
NetApp VASA Provider for Data ONTAP operating in 7-Mode NetApp VASA Provider for Data ONTAP operating in 7-Mode has no plans to address this vulnerability. See the EOA announcement for more information.
Virtual Storage Console for Red Hat Enterprise Virtualization Virtual Storage Console for Red Hat Enterprise Virtualization has no plans to address this vulnerability. See the EOA announcement for more information.
SnapProtect http://mysupport.netapp.com/NOW/download/software/snapprotect/11.0SP4/
OnCommand Balance http://mysupport.netapp.com/NOW/download/software/oncommand_ib/4.2.1/
Virtual Storage Console for Citrix XenServer Virtual Storage Console for Citrix XenServer has no plans to address this vulnerability. See the EOA announcement for more information.
NetApp VTL NetApp VTL has no plans to address this vulnerability. See the EOA announcement for more information.
Brocade Fabric Operating System Firmware http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Brocade/v7.3.0c.zip
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Brocade/v7.3.0c.tar.gz

Workarounds

Where possible, disable SSL v3.0 and use TLSv1.0 or above. SSLv2 is not a recommended workaround.

Obtaining Software Fixes

Software fixes will be made available through the NetApp Support website in the Software Download section.

https://mysupport.netapp.com/site/downloads/

Customers who do not have access to the Support website should contact Technical Support at the number below to obtain the patches.

Contact Information

Check http://mysupport.netapp.com for further updates.
For questions, contact NetApp at:

Technical Support
mysupport.netapp.com
1 888 4 NETAPP (1 888 463 8277) (U.S. and Canada)
+00 800 44 638277 (EMEA/Europe)
+800 800 80 800 (Asia/Pacific)

Status of This Notice

Final.

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.

This advisory is posted at the following link:
https://security.netapp.com/advisory/NTAP-20141015-0001

Revision History

Revision # Date Comments
1.0 20141015 Initial Public Release
2.0 20141016 Added products to Affected Products and Products Not Affected
3.0 20141017 Added products to Affected Products and Products Not Affected
4.0 20141020 Updated Products Under Investigation
5.0 20141021 Added products to Products Not Affected
6.0 20141023 Updated Affected Products bug links; added products to Affected Products
7.0 20141024 Updated Products Under Investigation; added products to Affected Products
8.0 20141105 Updated Affected Products; additional explanation added to Software Versions and Fixes
9.0 20141106 Updated Affected Products; added link to advisory; updated Software Versions and Fixes
10.0 20141107 Edits to Software Versions and Fixes and Workarounds
11.0 20141112 Updated Affected Products
12.0 20141201 Updated Software Versions and Fixes
13.0 20141204 Updated Products Under Investigation and Workarounds; minor edit
14.0 20141205 Updated Host Utilities naming convention, Affected Products, and Products Not Affected
15.0 20141208 Updated Software Versions and Fixes
16.0 20141222 Corrected Red Hat VSC tracking ID
17.0 20150115 Updated Software Versions and Fixes
18.0 20150126 Updated Products Not Affected & Affected Products; removed Brocade DCFM products due to end of support
19.0 20150127 Updated Affected Products & Products Not Affected; removed Agent for VCS and NetApp NFS & VSC for Apache Cloudstack due to End of Support status
20.0 20150128 Updated Affected Products & Software Versions and Fixes
21.0 20150204 Updated title with CVE & reworded summary
22.0 20150206 Updated Affected Products & Software Versions and Fixes; removed multiple products due to EOS status
23.0 20150213 Updated Affected Products, Software Versions and Fixes, & Workarounds
24.0 20150220 Added detail on Virtual Storage Console for VMware vSphere in Workarounds
25.0 20150223 Clarified Virtual Storage Console for VMware vSphere workaround
26.0 20150225 Updated Affected Products & Workarounds, combined various SAN Host Utilities into "Host Utilities - SAN for Unix and Linux"
27.0 20150226 Updated Affected Products
28.0 20150309 Updated Software Versions and Fixes
29.0 20150313 Updated Affected Products & Software Versions and Fixes
30.0 20150318 Updated Software Versions and Fixes
31.0 20150320 Updated Software Versions and Fixes
32.0 20150326 Updated Software Versions and Fixes
33.0 20150327 Updated Software Versions and Fixes
34.0 20150331 Updated Software Versions and Fixes
35.0 20150407 Updated Affected Products
36.0 20150409 Updated Software Versions and Fixes SCF details
37.0 20150414 Updated Affected Products & Products Not Affected
38.0 20150617 Updated Software Versions and Fixes
39.0 20150618 Updated Software Versions and Fixes & Products Not Affected
40.0 20150619 Added EOA CPC links to Virtual Storage Console (VSC) for Citrix XenServer & Virtual Storage Console (VSC) for Red Hat
41.0 20150625 Updated Affected Products & Products Not Affected - Host Utilities - SAN for ESX EOS
42.0 20150626 Added OnCommand Insight & Cluster Network/Management Switches (Cisco) to Software Versions and Fixes
43.0 20150708 Service Processor moved from Affected Products to Products Not Affected
44.0 20150827 OnCommand Unified Manager Host Package added to Software Versions and Fixes
45.0 20150917 Data ONTAP SMI-S Agent, NetApp Host Agent & OnCommand Report added to Software Versions and Fixes
46.0 20150922 7-Mode Transition Tool, Brocade Network Advisor Software, Cluster Network/Management Switches (NetApp), Data Decryption Software, E-Series Storage Management Initiative Specification (SMI-S) Provider, E-Series/EF-Series SANtricity Management Plug-ins (WebServices) & OnCommand Plug-in for Microsoft added to Software Versions and Fixes
47.0 20151006 NetApp Plugin for Symantec Netbackup added to Software Versions and Fixes
48.0 20151029 SnapDrive for UNIX (SDU) and SnapDrive for Windows added to Software Versions and Fixes
49.0 20151202 SnapManager for Oracle (SMO) and SnapManager for SAP (SMSAP) added to Software Versions and Fixes
50.0 20151222 FAS/V-Series Storage Replication Adapter for Clustered Data ONTAP & FAS/V-Series Storage Replication Adapter for 7mode Data ONTAP added to Workarounds.
51.0 20160216 Updated Virtual Storage Console for VMware vSphere workaround.
52.0 20160308 Added fix link for Snap Creator Framework 4.3 under Software Versions and Fixes
53.0 20160811 SnapProtect added to Software Versions and Fixes
54.0 20160831 Formatting; Clustered Data ONTAP Antivirus Connector added to Software Versions and Fixes
55.0 20160906 Cisco MDS, Fibre Channel Switch (Cisco), Data ONTAP PowerShell Toolkit added to Software Versions and Fixes; Updated fix for OnCommand Unified Manager for Clustered Data ONTAP (6.x)
56.0 20161108 RBAC User Creator for Data ONTAP removed due to being a Toolchest product that is supported in the communities
57.0 20170214 OnCommand Unified Manager Core Package added back to the advisory after inadvertently being removed
58.0 20191021 NetApp SMI-S Provider added to Software Versions and Fixes, Final status

This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp. NetApp is not responsible for any errors or omissions that may be contained herein, and no warranty, representation, or other legal commitment or obligation is being provided by NetApp. © 2017 NetApp, Inc. All rights reserved. No portions of this document may be reproduced without prior written consent of NetApp, Inc.