CVE-2016-0800 SSLv2 Vulnerability in Multiple NetApp Products
This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions.
Subscribe to NTAP-20160301-0001 updates
Subscribe to NTAP-20160301-0001 advisory updates
Confirmed your subscription to advisory alerts
Unsubscribe from NTAP-20160301-0001 advisory updates
Unsubscribe from NTAP-20160301-0001 advisory updates
Unsubscribed successfully from advisory alerts
Advisory ID: NTAP-20160301-0001 Version: 35.0 Last updated: 08/26/2019 Status: Final. CVEs: CVE-2016-0800
Summary
Multiple NetApp products utilize the SSL protocol. The SSLv2 protocol is susceptible to a vulnerability which makes it easier for man-in-the-middle attackers to obtain plaintext data via a Bleichenbacher RSA padding-oracle attack, referred to as a DROWN (Decrypting RSA using Obsolete and Weakened eNcryption) attack. This advisory will be updated as additional information becomes available.
Impact
Exploitation of this vulnerability may lead to unauthorized disclosure of information.
Vulnerability Scoring Details
| CVE | Score | Vector |
|---|---|---|
| CVE-2016-0800 | 6.6 (MEDIUM) | AV:N/AC:M/Au:N/C:C/I:P/A:N/E:U/RL:U/RC:C |
Exploitation and Public Announcements
NetApp is aware of public discussion of this vulnerability.
References
Affected Products
- Clustered Data ONTAP
- Clustered Data ONTAP Antivirus Connector
- Data ONTAP operating in 7-Mode
- MetroCluster Tiebreaker for clustered Data ONTAP
- NetApp Cloud Backup (formerly AltaVault)
- NetApp Host Agent
- NetApp Manageability SDK
- NetApp SMI-S Provider
- NetApp VASA Provider for Clustered Data ONTAP 7.2 and above
- OnCommand Report
- OnCommand Shift
- OnCommand Unified Manager for 7-Mode (core package)
- OnCommand Workflow Automation
- Open Systems SnapVault Agent
- Perfstat
- RBAC User Creator for Data ONTAP
- Snap Creator Framework
- SnapDrive for Unix
- SnapDrive for Windows
- SnapProtect
- Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere 7.2 and above
- Storage Replication Adapter for Data ONTAP operating in 7-Mode 2.1
Products Not Affected
- 7-Mode Transition Tool
- ATTO FibreBridge
- Brocade Fabric Operating System Firmware
- Brocade Network Advisor Software
- Cluster Network Switch (NetApp CN1610)
- Data ONTAP Edge
- Data ONTAP PowerShell Toolkit
- E-Series SANtricity Management Plug-ins (VMware VASA (Windows))
- E-Series SANtricity Management Plug-ins (VMware vCenter (Linux))
- E-Series SANtricity Management Plug-ins (VMware vCenter)
- E-Series SANtricity Storage Manager
- E-Series SANtricity Web Services (REST API) for Web Services Proxy
- FAS/AFF BIOS
- Host Utilities - SAN for Linux
- Host Utilities - SAN for Windows
- NetApp NFS Plug-in for VMware VAAI
- NetApp Plug-in for Symantec NetBackup
- NetApp SANtricity SMI-S Provider
- NetApp Storage Encryption
- OnCommand API Services
- OnCommand Balance
- OnCommand Cloud Manager
- OnCommand Insight
- OnCommand Performance Manager (Unified Manager Performance Pkg)
- OnCommand Plug-in for Microsoft
- OnCommand System Manager 9.x
- OnCommand Unified Manager for Clustered Data ONTAP
- RAID Controller CTS2600 Legacy Engenio
- Service Processor
- Single Mailbox Recovery
- SnapCenter
- SnapManager for Exchange
- SnapManager for Hyper-V
- SnapManager for MS SQL
- SnapManager for Oracle
- SnapManager for SAP
- SnapManager for Sharepoint
- Storage Services Connector
- StorageGRID (formerly StorageGRID Webscale)
- StorageGRID9 (9.x and prior)
- System Setup
- Virtual Storage Console for VMware vSphere 7.2 and above
Software Versions and Fixes
NetApp's currently available patches are listed below.
| Product | First Fixed in Release |
|---|---|
| OnCommand Shift |
OnCommand Shift has no plans to address this vulnerability. See the EOA announcement for more information. |
| NetApp Manageability SDK |
Users dynamically linking to C/C++ libraries of the NMSDK can upgrade to OpenSSL 1.0.2g by following the NMSDK help documentation. Static C/C++ library users will need a patched version of NMSDK containing the upgraded version of OpenSSL (1.0.2g). Perl, Python and Ruby library users need to upgrade the OpenSSL installed on their client system to OpenSSL 1.0.2g. |
| OnCommand Unified Manager for 7-Mode (core package) |
https://mysupport.netapp.com/NOW/download/software/occore_win/5.2.3/ https://mysupport.netapp.com/NOW/download/software/occore_lin/5.2.3/ |
| Clustered Data ONTAP |
http://mysupport.netapp.com/NOW/download/software/ontap/9.0/ |
| SnapDrive for Unix |
https://mysupport.netapp.com/NOW/download/software/snapdrive_redhatlinux/5.3.1/ https://mysupport.netapp.com/NOW/download/software/snapdrive_aix/5.3.1/ https://mysupport.netapp.com/NOW/download/software/snapdrive_sol/5.3.1/ https://mysupport.netapp.com/NOW/download/software/snapdrive_solx86/5.3.1/ |
| SnapDrive for Windows |
http://mysupport.netapp.com/NOW/download/software/snapdrive_win/7.1.4/ |
| NetApp SMI-S Provider |
https://mysupport.netapp.com/products/smis/5.2.5/ |
| Snap Creator Framework |
https://mysupport.netapp.com/NOW/download/software/snapcreator_framework/4.3P1/ |
| Storage Replication Adapter for Data ONTAP operating in 7-Mode 2.1 |
Storage Replication Adapter for Data ONTAP operating in 7-Mode 2.1 has no plans to address this vulnerability. See the EOA announcement for more information. |
| Open Systems SnapVault Agent |
https://support.netapp.com/NOW/download/software/snapvault_oss/win2003/3.0.1P8 https://support.netapp.com/NOW/download/software/snapvault_oss/win2008/3.0.1P8 https://support.netapp.com/NOW/download/software/snapvault_oss/linux/3.0.1P8 https://support.netapp.com/NOW/download/software/snapvault_oss/solx86/3.0.1P8 https://support.netapp.com/NOW/download/software/snapvault_oss/sol/3.0.1P8 |
| NetApp Host Agent |
NetApp Host Agent has no plans to address this vulnerability. See the EOA announcement for more information. |
| NetApp VASA Provider for Clustered Data ONTAP 7.2 and above |
https://mysupport.netapp.com/NOW/download/software/sra_cmode/4.0/ |
| NetApp Cloud Backup (formerly AltaVault) |
http://mysupport.netapp.com/NOW/download/software/altavault_virtualapp/4.2.1/ |
| OnCommand Report |
OnCommand Report has no plans to address this vulnerability. See the EOA announcement for more information. |
| SnapProtect |
SnapProtect has no plans to address this vulnerability. See the EOA announcement for more information. |
| RBAC User Creator for Data ONTAP |
RBAC User Creator for Data ONTAP has no plans to address this vulnerability. |
| Clustered Data ONTAP Antivirus Connector |
http://mysupport.netapp.com/NOW/download/software/ontap_av_connector/1.0.3/ |
| Perfstat |
Customers concerned with the DROWN vulnerability should upgrade their version of OpenSSL on any Linux/Mac/Windows perfstat hosts following these guidelines: https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/ Additionally, ensure SSLv2 is disabled on any servers (OpenSSL 1.0.1s and 1.0.2g disables SSLv2 by default) and upgrade ONTAP release to >= 9.0 or disable SSLv2. |
| Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere 7.2 and above |
https://mysupport.netapp.com/NOW/download/software/sra_cmode/4.0/ |
| Data ONTAP operating in 7-Mode |
Enable TLS then disable SSLv2 and v3 in ONTAP using the KB listed in the Workarounds section. |
| MetroCluster Tiebreaker for clustered Data ONTAP |
http://mysupport.netapp.com/NOW/download/software/metrocluster_tiebreaker/1.2/ |
| OnCommand Workflow Automation |
http://mysupport.netapp.com/NOW/download/software/ocwfa/4.0/ http://mysupport.netapp.com/NOW/download/software/ocwfa_linux/4.0/ |
Workarounds
Where possible, disable SSL v3.0 and use TLSv1.0 or above. SSLv2 is not a recommended workaround.
- Disable SSLv2 and SSLv3 in OnCommand Unified Manager 5.2.1GA https://kb.netapp.com/support/index?page=content&id=3014517
- Disable SSLv2 and SSLv3 in Data ONTAP https://kb.netapp.com/support/index?page=content&id=1015015
Obtaining Software Fixes
Software fixes will be made available through the NetApp Support website in the Software Download section.
https://mysupport.netapp.com/site/downloads/
Customers who do not have access to the Support website should contact Technical Support at the number below to obtain the patches.
Contact Information
Check http://mysupport.netapp.com for further
updates.
For questions, contact NetApp at:
Technical Support
mysupport.netapp.com
1 888 4 NETAPP (1 888 463 8277) (U.S. and Canada)
+00 800 44 638277 (EMEA/Europe)
+800 800 80 800 (Asia/Pacific)
Status of This Notice
Final.
This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions.
This advisory is posted at the following link:
https://security.netapp.com/advisory/NTAP-20160301-0001
Revision History
| Revision # | Date | Comments |
|---|---|---|
| 1.0 | 20160301 | Initial Public Release |
| 2.0 | 20160302 | Data ONTAP PowerShell Toolkit, NetApp Plug-in for Symantec NetBackup, OnCommand Performance Manager (Unified Manager Performance Pkg) & OnCommand Unified Manager for Clustered Data ONTAP (6.x) added to Products Not Affected |
| 3.0 | 20160303 | Data ONTAP operating in 7-Mode, NetApp Manageability SDK, SnapDrive for Windows & SnapCenter Plug-in for Microsoft SQL Server moved to Affected Products; E-Series/EF-Series SANtricity Management Plug-ins (VMware VASA (Windows)), E-Series/EF-Series SANtricity Management Plug-ins (VMware vCenter (Linux)), E-Series/EF-Series SANtricity Management Plug-ins (VMware vCenter (Windows)), E-Series/EF-Series SANtricity Management Plug-ins (WebServices), E-Series/EF-Series SANtricity Storage Manager, OnCommand API Services, OnCommand Balance, OnCommand Cloud Manager & OnCommand System Manager, & Storage Management Initiative Specification (SMI-S) Providers for E-Series moved to Products Not Affected |
| 4.0 | 20160304 | AutoSupport, MySupport, support.netapp.com moved to Products Not Affected |
| 5.0 | 20160307 | NetApp AltaVault, Clustered Data ONTAP moved to Affected Products |
| 6.0 | 20160308 | OnCommand Workflow Automation moved to Affected Products |
| 7.0 | 20160309 | SnapDrive for Unix moved to Affected Products; SnapManager for SAP, SnapManager for Oracle, SnapCenter Server, Virtual Storage Console for VMware vSphere, System Setup, OnCommand Insight, Data ONTAP Edge moved to Products Not Affected |
| 8.0 | 20160310 | Cluster Network/Management Switches (Cisco) moved to Products Not Affected |
| 9.0 | 20160315 | Cluster Network/Management Switches (NetApp) moved to Products Not Affected |
| 10.0 | 20160419 | Snap Creator Framework & Clustered Data ONTAP Antivirus Connector moved to Affected Products |
| 11.0 | 20160426 | 7-Mode Transition Tool moved to Products Not Affected |
| 12.0 | 20160601 | Brocade Fabric Operating System Firmware, Fibre Channel Switch (NetApp) moved to Products Not Affected |
| 13.0 | 20160628 | Snap Creator Framework added to Software Versions and Fixes |
| 14.0 | 20160726 | Perfstat, SnapManager for Sharepoint moved to Affected Products; OnCommand Report added to Software Versions and Fixes |
| 15.0 | 20160811 | OnCommand Workflow Automation, NetApp AltaVault added to Software Versions and Fixes; SnapCenter Plug-in for Windows moved to Products Not Affected; NetApp VASA Provider for Clustered Data ONTAP moved to Affected Products |
| 16.0 | 20160816 | MetroCluster Tiebreaker for clustered Data ONTAP added to Software Versions and Fixes |
| 17.0 | 20160831 | Clustered Data ONTAP Antivirus Connector & NetApp Host Agent added to Software Versions and Fixes |
| 18.0 | 20161006 | SnapManager for Sharepoint moved to Products Not Affected after further evaluation as the vulnerability exists in other dependent software. |
| 19.0 | 20161025 | SnapDrive for Unix added to Software Versions and Fixes |
| 20.0 | 20161108 | Config Advisor, Data ONTAP PowerShell Toolkit, RBAC User Creator for Data ONTAP removed due to being Toolchest products that are supported in the communities |
| 21.0 | 20161117 | OnCommand Unified Manager Core Package (5.x) moved to Affected Products, after further investigation SnapCenter Plug-in for Microsoft SQL Server was moved from Affected Products to Products Not Affected |
| 22.0 | 20161118 | SnapDrive for Windows added to Software Versions and Fixes |
| 23.0 | 20161206 | FAS/V-Series Storage Replication Adapter for Clustered Data ONTAP and OnCommand Shift moved to Affected Products |
| 24.0 | 20170214 | Open Systems SnapVault Agent moved to Affected Products, SnapCenter Plug-in for Microsoft SQL Server and SnapCenter Plug-in for Windows removed as they are now bundled with SnapCenter Server |
| 25.0 | 20170228 | Clustered Data ONTAP and Open Systems SnapVault Agent added to Software Versions and Fixes |
| 26.0 | 20171109 | Workarounds section updated, FAS/V-Series Storage Replication Adapter for Clustered Data ONTAP added to Software Versions and Fixes, Cisco Fibre Channel Switch link updated |
| 27.0 | 20180315 | OnCommand Shift moved to Won't Fix status |
| 28.0 | 20180416 | Storage Replication Adapter for Data ONTAP operating in 7-Mode 2.1 moved to Won't Fix status |
| 29.0 | 20180423 | NetApp VASA Provider for Clustered Data ONTAP 7.0 and above added to Software Versions and Fixes |
| 30.0 | 20180621 | OnCommand Unified Manager for 7-Mode (core package) added to Software Versions and Fixes |
| 31.0 | 20180825 | NetApp SMI-S Provider moved to Affected Products |
| 32.0 | 20181004 | NetApp Host Agent moved to Won't Fix status |
| 33.0 | 20190520 | After additional review OnCommand Plug-in for Microsoft moved from Affected Products to Products Not Affected |
| 34.0 | 20190531 | SnapProtect moved to Won't Fix status |
| 35.0 | 20190826 | NetApp SMI-S Provider added to Software Versions and Fixes, Final status |
This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp. NetApp is not responsible for any errors or omissions that may be contained herein, and no warranty, representation, or other legal commitment or obligation is being provided by NetApp. © 2022 NetApp, Inc. All rights reserved. No portions of this document may be reproduced without prior written consent of NetApp, Inc.