CVE-2014-3566 SSL v3.0 Nondeterministic CBC Padding Vulnerability in Multiple NetApp Products

Summary

Multiple NetApp products incorporate the OpenSSL software libraries to provide cryptographic capabilities. The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a vulnerability also known as POODLE. NetApp is investigating which products use SSL v3.0. Known workarounds include disabling SSL v3.0 and/or forcing the use of TLS only. This advisory will be updated as additional information becomes available.

Impact

Exploitation of this vulnerability may lead to unauthorized disclosure of information.

Vulnerability Scoring Details

CVE Score Vector
3.7 (LOW) AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:C

Exploitation and Public Announcements

NetApp is aware of public discussion of this vulnerability.

References

Affected Products

  • 7-Mode Transition Tool
  • Brocade Data Center Fabric Manager Professional Software
  • Brocade Fabric Operating System Firmware
  • Brocade Network Advisor Software
  • Cluster Network Switch (Cisco Nexus 5596UP/5596T)
  • Cluster Network Switch (NetApp CN1610)
  • Clustered Data ONTAP
  • Clustered Data ONTAP Antivirus Connector
  • Data ONTAP PowerShell Toolkit
  • Data ONTAP operating in 7-Mode
  • FAS/V-Series Storage Replication Adapter for 7-Mode Data ONTAP
  • Fibre Channel Switch (Cisco MDS)
  • Fibre Channel Switch (Cisco Nexus)
  • Fibre Channel Switch (Cisco)
  • FlashRay
  • NetApp Host Agent
  • NetApp Manageability SDK
  • NetApp Plug-in for Symantec NetBackup
  • NetApp Recovery Manager for Citrix Sharefile
  • NetApp SMI-S Provider
  • NetApp VASA Provider for Clustered Data ONTAP
  • NetApp VASA Provider for Data ONTAP operating in 7-mode
  • NetApp VTL
  • OnCommand Balance
  • OnCommand Insight
  • OnCommand Performance Manager (Unified Manager Performance Pkg)
  • OnCommand Plug-in for Microsoft
  • OnCommand Report
  • OnCommand System Manager
  • OnCommand Unified Manager Core Package (5.x)
  • OnCommand Unified Manager Host Package
  • OnCommand Unified Manager for Clustered Data ONTAP
  • OnCommand Workflow Automation
  • Open Systems SnapVault Agent
  • RapidData Migration Solution
  • Snap Creator Framework
  • SnapDrive for Unix
  • SnapDrive for Windows
  • SnapManager for Oracle
  • SnapManager for SAP
  • SnapManager for Sharepoint
  • SnapProtect
  • Virtual Storage Console for Citrix XenServer
  • Virtual Storage Console for Red Hat Enterprise Virtualization
  • Virtual Storage Console for VMware vSphere

Products Not Affected

  • ATTO FibreBridge
  • AutoSupport, MySupport,support.netapp.com
  • Brocade Network Operating System Firmware
  • Cisco Data Center Network Manager
  • Cisco Fabric Manager Software
  • Data Migration Appliance DTA2800 (DTA Firmware)
  • Data Migration Appliance DTA2800 (DTA Manager)
  • Data Migration Appliance DTA2800 (DTA Remote CLI)
  • Data Migration Appliance DTA2800 (Space Reclamation Utility)
  • Data ONTAP Edge
  • E-Series SANtricity Management Plug-ins (Microsoft SQL Server (SSMS))
  • E-Series SANtricity Management Plug-ins (Microsoft System Center (SCOM))
  • E-Series SANtricity Management Plug-ins (Oracle EM)
  • E-Series SANtricity Management Plug-ins (VMware SRA)
  • E-Series SANtricity Management Plug-ins (VMware VASA (Windows))
  • E-Series SANtricity Management Plug-ins (VMware vCenter (Linux))
  • E-Series SANtricity Management Plug-ins (VMware vCenter (Windows))
  • E-Series SANtricity OS Controller Software 8.x
  • E-Series SANtricity Storage Manager
  • E-Series SANtricity Web Services (REST API)
  • FAS/AFF System Firmware (BIOS)
  • FAS/V-Series Storage Replication Adapter for Clustered Data ONTAP
  • Host Utilities - SAN for ESX
  • Host Utilities - SAN for Unix and Linux
  • Host Utilities - SAN for Windows
  • MetroCluster Plug-in for vSphere
  • Multipath I/O (Data ONTAP DSM for Windows MPIO)
  • NetApp AltaVault
  • NetApp NFS Plug-in for VMware VAAI
  • NetApp SANtricity SMI-S Provider
  • NetApp Storage Encryption
  • OnCommand Cloud Manager
  • RAID Controller CTS2600 Legacy Engenio
  • Single Mailbox Recovery
  • SnapManager for Exchange
  • SnapManager for Hyper-V
  • SnapManager for MS SQL
  • Storage Services Connector
  • StorageGRID
  • StorageGRID Webscale
  • System Setup

Software Versions and Fixes

NetApp's currently available patches are listed below.


Product First Fixed in Release
OnCommand Unified Manager Core Package (5.x) https://mysupport.netapp.com/NOW/download/software/occore_win/5.2.1/
https://mysupport.netapp.com/NOW/download/software/occore_lin/5.2.1/

After upgrading, SSLv2 and SSLv3 must be disabled: https://kb.netapp.com/support/index?page=content&id=3014517
OnCommand Insight http://mysupport.netapp.com/NOW/download/software/sanscreen/7.1/
Clustered Data ONTAP Antivirus Connector http://mysupport.netapp.com/NOW/download/software/ontap_av_connector/1.0.3/
OnCommand Unified Manager for Clustered Data ONTAP http://mysupport.netapp.com/NOW/download/software/oncommand_cdot/6.3/
http://mysupport.netapp.com/NOW/download/software/oncommand_cdot_lin/6.3/
NetApp VTL NetApp VTL has no plans to address this vulnerability. See the EOA announcement for more information.
NetApp Recovery Manager for Citrix Sharefile NetApp Recovery Manager for Citrix Sharefile has no plans to address this vulnerability.
7-Mode Transition Tool http://mysupport.netapp.com/NOW/download/software/ntap_7mtt/2.0/
Open Systems SnapVault Agent http://mysupport.netapp.com/NOW/download/software/snapvault_oss/aix/3.0.1P6/
http://mysupport.netapp.com/NOW/download/software/snapvault_oss/hpux/3.0.1P6/
http://mysupport.netapp.com/NOW/download/software/snapvault_oss/linux/3.0.1P6/
http://mysupport.netapp.com/NOW/download/software/snapvault_oss/sol/3.0.1P6/
http://mysupport.netapp.com/NOW/download/software/snapvault_oss/solx86/3.0.1P6/
http://mysupport.netapp.com/NOW/download/software/snapvault_oss/esx/3.0.1P6/
http://mysupport.netapp.com/NOW/download/software/snapvault_oss/win2003/3.0.1P6/
http://mysupport.netapp.com/NOW/download/software/snapvault_oss/win2008/3.0.1P6/
SnapDrive for Windows http://mysupport.netapp.com/NOW/download/software/snapdrive_win/7.1.2/
NetApp VASA Provider for Data ONTAP operating in 7-mode NetApp VASA Provider for Data ONTAP operating in 7-mode has no plans to address this vulnerability. See the EOA announcement for more information.
Snap Creator Framework http://mysupport.netapp.com/NOW/download/software/snapcreator_framework/4.3/

SCF supports TLS when communicating with Data ONTAP when SSL v3 is disabled within Java on both the SCF Server and Agent hosts and after enabling TLS in ONTAP.
FlashRay FlashRay has no plans to address this vulnerability. See the EOA announcement for more information.
Data ONTAP operating in 7-Mode
Enable TLS then disable SSLv2 and v3 in ONTAP using the following KB article: https://kb.netapp.com/support/index?page=content&id=1015015
SnapManager for Sharepoint
Disable SSLv2 and SSLv3 in SnapManager for SharePoint (SMSP) https://kb.netapp.com/support/index?page=content&id=3014544
NetApp Plug-in for Symantec NetBackup https://mysupport.netapp.com/NOW/download/software/nbu_plugin_win/1.1P1/
https://mysupport.netapp.com/NOW/download/software/nbu_plugin_lin/1.1P1/
FAS/V-Series Storage Replication Adapter for 7-Mode Data ONTAP
To use exclusively TLS, an upgrade to SRM 6.0 is required along with enabling SSL communication using KB 1012531: https://kb.netapp.com/support/index?page=content&id=1012531
Brocade Data Center Fabric Manager Professional Software Brocade Data Center Fabric Manager Professional Software has no plans to address this vulnerability.
SnapDrive for Unix http://mysupport.netapp.com/NOW/download/software/snapdrive_redhatlinux/5.3/
SnapManager for SAP http://mysupport.netapp.com/NOW/download/software/snapmanager_sap_unix/3.4/
http://mysupport.netapp.com/NOW/download/software/snapmanager_sap_win/3.4/
SnapProtect http://mysupport.netapp.com/NOW/download/software/snapprotect/11.0SP4/download.shtml
OnCommand Report OnCommand Report has no plans to address this vulnerability. See the EOA announcement for more information.
OnCommand Balance http://mysupport.netapp.com/NOW/download/software/oncommand_ib/4.2.1/
Brocade Network Advisor Software http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Brocade/san_download.shtml 12.3.3
Fibre Channel Switch (Cisco) http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Cisco/m9250-s5ek9-mz.6.2.13.zip
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Cisco/m9100-s5ek9-mz.6.2.13.zip
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Cisco/m9200-s2ek9-mz.6.2.13.zip
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Cisco/m9500-sf2ek9-mz.6.2.13.zip
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Cisco/m9700-sf3ek9-mz.6.2.13.zip
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Cisco/n7700-s1-dk9.6.2.12.zip
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Cisco/n7700-s2-dk9.6.2.12.zip
Cluster Network Switch (NetApp CN1610) http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/NetApp/cn1610cm/bin/NetApp_CN1610_1.1.0.8.stk
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/NetApp/cn1610cm/bin/NetApp_CN1610_1.1.0.8-mibs.tar.bz2
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/NetApp/cn1610cm/bin/NetApp_CN1610_1.2.0.1.stk
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/NetApp/cn1610cm/bin/NetApp_CN1610_1.2.0.1-mibs.tar.bz2
OnCommand Workflow Automation http://mysupport.netapp.com/NOW/download/software/ocwfa/3.0/
Fibre Channel Switch (Cisco MDS) http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Cisco/m9100-s5ek9-mz.6.2.13.zip
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Cisco/m9200-s2ek9-mz.6.2.13.zip
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Cisco/m9500-sf2ek9-mz.6.2.13.zip
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Cisco/m9700-sf3ek9-mz.6.2.13.zip
Virtual Storage Console for Red Hat Enterprise Virtualization Virtual Storage Console for Red Hat Enterprise Virtualization has no plans to address this vulnerability. See the EOA announcement for more information.
OnCommand Performance Manager (Unified Manager Performance Pkg) http://mysupport.netapp.com/NOW/download/software/oncommand_pm/1.0R2/
Virtual Storage Console for Citrix XenServer Virtual Storage Console for Citrix XenServer has no plans to address this vulnerability. See the EOA announcement for more information.
Clustered Data ONTAP
Enable TLS then disable SSLv2 and v3 in ONTAP using the following KB article: https://kb.netapp.com/support/index?page=content&id=1015015
Virtual Storage Console for VMware vSphere http://mysupport.netapp.com/NOW/download/software/vsc_win/6.0/
NetApp Host Agent NetApp Host Agent has no plans to address this vulnerability. See the EOA announcement for more information.
OnCommand Unified Manager Host Package OnCommand Unified Manager Host Package has no plans to address this vulnerability. See the EOA announcement for more information.
Data ONTAP PowerShell Toolkit http://mysupport.netapp.com/tools/info/ECMLP2310788I.html?productID=61926
NetApp VASA Provider for Clustered Data ONTAP http://mysupport.netapp.com/NOW/download/software/vasa_cdot/5.0P1/
Fibre Channel Switch (Cisco Nexus) http://mysupport.netapp.com/NOW/download/software/cm_switches/
Brocade Fabric Operating System Firmware http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Brocade/v7.3.0c.zip
http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Brocade/v7.3.0c.tar.gz
SnapManager for Oracle http://mysupport.netapp.com/NOW/download/software/snapmanager_oracle_unix/3.4/
http://mysupport.netapp.com/NOW/download/software/snapmanager_oracle_win/3.4/
Cluster Network Switch (Cisco Nexus 5596UP/5596T) http://mysupport.netapp.com/NOW/download/software/sanswitch/fcp/Cisco/cisco_cns/download.shtml#7.111

Workarounds

Where possible, disable SSL v3.0 and use TLSv1.0 or above. SSLv2 is not a recommended workaround.

Obtaining Software Fixes

Software fixes will be made available through the NetApp Support website in the Software Download section.

https://mysupport.netapp.com/NOW/cgi-bin/software/

Customers who do not have access to the Support website should contact Technical Support at the number below to obtain the patches.

Contact Information

Check http://mysupport.netapp.com for further updates.
For questions, contact NetApp at:

Technical Support
mysupport.netapp.com
1 888 4 NETAPP (1 888 463 8277) (U.S. and Canada)
+00 800 44 638277 (EMEA/Europe)
+800 800 80 800 (Asia/Pacific)

Status of This Notice

Interim.

NetApp will continue to update this advisory as additional information becomes available.

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.

This advisory is posted at the following link:
https://security.netapp.com/advisory/NTAP-20141015-0001

Revision History

Revision # Date Comments
1.0 20141015 Initial Public Release
2.0 20141016 Added products to Affected Products and Products Not Affected
3.0 20141017 Added products to Affected Products and Products Not Affected
4.0 20141020 Updated Products Under Investigation
5.0 20141021 Added products to Products Not Affected
6.0 20141023 Updated Affected Products bug links; added products to Affected Products
7.0 20141024 Updated Products Under Investigation; added products to Affected Products
8.0 20141105 Updated Affected Products; additional explanation added to Software Versions and Fixes
9.0 20141106 Updated Affected Products; added link to advisory; updated Software Versions and Fixes
10.0 20141107 Edits to Software Versions and Fixes and Workarounds
11.0 20141112 Updated Affected Products
12.0 20141201 Updated Software Versions and Fixes
13.0 20141204 Updated Products Under Investigation and Workarounds; minor edit
14.0 20141205 Updated Host Utilities naming convention, Affected Products, and Products Not Affected
15.0 20141208 Updated Software Versions and Fixes
16.0 20141222 Corrected Red Hat VSC tracking ID
17.0 20150115 Updated Software Versions and Fixes
18.0 20150126 Updated Products Not Affected & Affected Products; removed Brocade DCFM products due to end of support
19.0 20150127 Updated Affected Products & Products Not Affected; removed Agent for VCS and NetApp NFS & VSC for Apache Cloudstack due to End of Support status
20.0 20150128 Updated Affected Products & Software Versions and Fixes
21.0 20150204 Updated title with CVE & reworded summary
22.0 20150206 Updated Affected Products & Software Versions and Fixes; removed multiple products due to EOS status
23.0 20150213 Updated Affected Products, Software Versions and Fixes, & Workarounds
24.0 20150220 Added detail on Virtual Storage Console for VMware vSphere in Workarounds
25.0 20150223 Clarified Virtual Storage Console for VMware vSphere workaround
26.0 20150225 Updated Affected Products & Workarounds, combined various SAN Host Utilities into "Host Utilities - SAN for Unix and Linux"
27.0 20150226 Updated Affected Products
28.0 20150309 Updated Software Versions and Fixes
29.0 20150313 Updated Affected Products & Software Versions and Fixes
30.0 20150318 Updated Software Versions and Fixes
31.0 20150320 Updated Software Versions and Fixes
32.0 20150326 Updated Software Versions and Fixes
33.0 20150327 Updated Software Versions and Fixes
34.0 20150331 Updated Software Versions and Fixes
35.0 20150407 Updated Affected Products
36.0 20150409 Updated Software Versions and Fixes SCF details
37.0 20150414 Updated Affected Products & Products Not Affected
38.0 20150617 Updated Software Versions and Fixes
39.0 20150618 Updated Software Versions and Fixes & Products Not Affected
40.0 20150619 Added EOA CPC links to Virtual Storage Console (VSC) for Citrix XenServer & Virtual Storage Console (VSC) for Red Hat
41.0 20150625 Updated Affected Products & Products Not Affected - Host Utilities - SAN for ESX EOS
42.0 20150626 Added OnCommand Insight & Cluster Network/Management Switches (Cisco) to Software Versions and Fixes
43.0 20150708 Service Processor moved from Affected Products to Products Not Affected
44.0 20150827 OnCommand Unified Manager Host Package added to Software Versions and Fixes
45.0 20150917 Data ONTAP SMI-S Agent, NetApp Host Agent & OnCommand Report added to Software Versions and Fixes
46.0 20150922 7-Mode Transition Tool, Brocade Network Advisor Software, Cluster Network/Management Switches (NetApp), Data Decryption Software, E-Series Storage Management Initiative Specification (SMI-S) Provider, E-Series/EF-Series SANtricity Management Plug-ins (WebServices) & OnCommand Plug-in for Microsoft added to Software Versions and Fixes
47.0 20151006 NetApp Plugin for Symantec Netbackup added to Software Versions and Fixes
48.0 20151029 SnapDrive for UNIX (SDU) and SnapDrive for Windows added to Software Versions and Fixes
49.0 20151202 SnapManager for Oracle (SMO) and SnapManager for SAP (SMSAP) added to Software Versions and Fixes
50.0 20151222 FAS/V-Series Storage Replication Adapter for Clustered Data ONTAP & FAS/V-Series Storage Replication Adapter for 7mode Data ONTAP added to Workarounds.
51.0 20160216 Updated Virtual Storage Console for VMware vSphere workaround.
52.0 20160308 Added fix link for Snap Creator Framework 4.3 under Software Versions and Fixes
53.0 20160811 SnapProtect added to Software Versions and Fixes
54.0 20160831 Formatting; Clustered Data ONTAP Antivirus Connector added to Software Versions and Fixes
55.0 20160906 Cisco MDS, Fibre Channel Switch (Cisco), Data ONTAP PowerShell Toolkit added to Software Versions and Fixes; Updated fix for OnCommand Unified Manager for Clustered Data ONTAP (6.x)
56.0 20161108 RBAC User Creator for Data ONTAP removed due to being a Toolchest product that is supported in the communities
57.0 20170214 OnCommand Unified Manager Core Package added back to the advisory after inadvertently being removed

This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp. NetApp is not responsible for any errors or omissions that may be contained herein, and no warranty, representation, or other legal commitment or obligation is being provided by NetApp. © 2017 NetApp, Inc. All rights reserved. No portions of this document may be reproduced without prior written consent of NetApp, Inc.