CVE-2020-1968 OpenSSL Vulnerability in NetApp Products

circle-check-alt This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions.

Summary

Multiple NetApp products incorporate OpenSSL. OpenSSL versions 1.0.2 through 1.0.2v are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information.

Impact

Successful exploitation of this vulnerability could lead to disclosure of sensitive information.

Clustered Data ONTAP disables DH ciphers by default beginning with version 9.5.

Vulnerability Scoring Details

CVE Score Vector
CVE-2020-1968 3.7 (LOW) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitation and Public Announcements

NetApp is aware of public discussion of this vulnerability.

References

Affected Products

  • Active IQ Unified Manager for VMware vSphere
  • E-Series SANtricity OS Controller Software 11.x
  • NetApp Cloud Backup (formerly AltaVault)
  • NetApp Cloud Backup OST Plug-in (formerly AltaVault OST Plug-in)
  • NetApp Plug-in for Symantec NetBackup
  • NetApp SMI-S Provider
  • NetApp SolidFire Baseboard Management Controller (BMC)
  • ONTAP 9 (formerly Clustered Data ONTAP)
  • ONTAP Antivirus Connector
  • SnapDrive for Unix
  • SnapDrive for Windows

Products Not Affected

  • AFF Baseboard Management Controller (BMC) - A700s
  • Active IQ Unified Manager for Linux
  • Active IQ Unified Manager for Microsoft Windows
  • Active IQ mobile app
  • Astra Trident
  • Brocade Fabric Operating System Firmware
  • Brocade SAN Navigator (SANnav)
  • Cloud Insights Acquisition Unit
  • Cloud Insights Storage Workload Security Agent
  • Cloud Insights Telegraf Agent
  • Cloud Volumes ONTAP Mediator
  • Data ONTAP operating in 7-Mode
  • E-Series SANtricity Unified Manager and Web Services Proxy
  • Element .NET SDK
  • Element HealthTools
  • Element JAVA SDK
  • Element Plug-in for vCenter Server
  • Element Python SDK
  • FAS/AFF BIOS - 8300/8700/A400/C400
  • FAS/AFF Baseboard Management Controller (BMC) - 8300/8700/A400/C400
  • FAS/AFF Baseboard Management Controller (BMC) - C190/A150/A220/FAS2720/FAS2750
  • FAS/AFF Service Processor - 8080/8060/8040/8020
  • Host Utilities - SAN for Linux
  • Host Utilities - SAN for Windows
  • IOM6 SAS Disk Shelf Firmware
  • Management Services for Element Software and NetApp HCI
  • MetroCluster Tiebreaker for clustered Data ONTAP
  • NetApp BlueXP
  • NetApp Converged Systems Advisor Agent
  • NetApp E-Series Performance Analyzer
  • NetApp HCI Baseboard Management Controller (BMC) - H300S/H500S/H700S/H410S
  • NetApp HCI Baseboard Management Controller (BMC) - H410C
  • NetApp HCI Baseboard Management Controller (BMC) - H610C
  • NetApp HCI Baseboard Management Controller (BMC) - H610S
  • NetApp HCI Baseboard Management Controller (BMC) - H615C
  • NetApp HCI Compute Node (Bootstrap OS)
  • NetApp HCI Compute Node BIOS
  • NetApp HCI Storage Node BIOS
  • NetApp Manageability SDK
  • NetApp NFS Plug-in for VMware VAAI
  • NetApp ONTAP PowerShell Toolkit (PSTK)
  • NetApp SANtricity SMI-S Provider
  • NetApp SolidFire & HCI Management Node
  • NetApp SolidFire & HCI Storage Node (Element Software)
  • NetApp SolidFire Plug-in for vRealize Orchestrator (SolidFire vRO)
  • NetApp Storage Encryption
  • NetApp VASA Provider for Clustered Data ONTAP 9.7 and above
  • NetApp XCP NFS
  • NetApp XCP SMB
  • ONTAP Mediator
  • ONTAP Select Deploy administration utility
  • OnCommand Insight
  • OnCommand Unified Manager Core Package
  • OnCommand Workflow Automation
  • SRA Plugin for Linux
  • SRA Plugin for Windows
  • Single Mailbox Recovery
  • Snap Creator Framework
  • SnapCenter
  • SnapCenter Plug-in for VMware vSphere/BlueXP backup and Recovery for Virtual Machine
  • SnapManager for Hyper-V
  • SolidFire Storage Replication Adapter
  • Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere 9.7 and above
  • Storage Replication Adapter for Clustered Data ONTAP for Windows 7.2 and above
  • StorageGRID (formerly StorageGRID Webscale)
  • StorageGRID Baseboard Management Controller (BMC)
  • StorageGRID9 (9.x and prior)
  • System Manager 9.x
  • Virtual Storage Console for VMware vSphere 9.7 and above

Software Versions and Fixes

NetApp's currently available patches are listed below.


Product First Fixed in Release
Active IQ Unified Manager for VMware vSphere https://mysupport.netapp.com/site/products/all/details/activeiq-unified-manager/downloads-tab/download/62791/9.8
ONTAP 9 (formerly Clustered Data ONTAP) https://mysupport.netapp.com/site/products/all/details/ontap9/downloads-tab/download/62286/9.5P17
https://mysupport.netapp.com/site/products/all/details/ontap9/downloads-tab/download/62286/9.6P13
https://mysupport.netapp.com/site/products/all/details/ontap9/downloads-tab/download/62286/9.7P9
https://mysupport.netapp.com/site/products/all/details/ontap9/downloads-tab/download/62286/9.8
ONTAP Antivirus Connector https://mysupport.netapp.com/site/products/all/details/ontap-antivirus-connector/downloads-tab/download/63048/1.0.5/downloads
E-Series SANtricity OS Controller Software 11.x https://mysupport.netapp.com/site/products/all/details/eseries-santricityos/downloads-tab/download/62735/11.70.1.GA
NetApp Cloud Backup (formerly AltaVault) NetApp Cloud Backup (formerly AltaVault) has no plans to address this vulnerability. See the EOA announcement for more information.
NetApp Cloud Backup OST Plug-in (formerly AltaVault OST Plug-in) NetApp Cloud Backup OST Plug-in (formerly AltaVault OST Plug-in) has no plans to address this vulnerability. See the EOA announcement for more information.
NetApp Plug-in for Symantec NetBackup NetApp Plug-in for Symantec NetBackup has no plans to address this vulnerability. See the EOA announcement for more information.
NetApp SMI-S Provider https://mysupport.netapp.com/site/products/all/details/netapp-smis-provider/downloads-tab/download/62215/5.2.6P1
NetApp SolidFire Baseboard Management Controller (BMC) NetApp SolidFire Baseboard Management Controller (BMC) has no plans to address this vulnerability. See the EOA announcement for more information.
SnapDrive for Unix https://mysupport.netapp.com/site/products/all/details/snapdrive-unix/downloads-tab/download/30050/5.3.2P3
SnapDrive for Windows https://mysupport.netapp.com/site/products/all/details/snapdrive-windows/downloads-tab/download/30049/7.1.5P5

Workarounds

Clustered Data ONTAP:
Beginning with version 9.0 ciphers can be manually disabled using the "security config" command.
::*> security config modify -supported-ciphers CURRENT_CIPHER_STRING:!kDH

Obtaining Software Fixes

Software fixes will be made available through the NetApp Support website in the Software Download section.

https://mysupport.netapp.com/site/downloads/

Customers who do not have access to the Support website should contact Technical Support at the number below to obtain the patches.

Contact Information

Check http://mysupport.netapp.com for further updates.
For questions, contact NetApp at:

Technical Support
mysupport.netapp.com
1 888 4 NETAPP (1 888 463 8277) (U.S. and Canada)
+00 800 44 638277 (EMEA/Europe)
+800 800 80 800 (Asia/Pacific)

Status of This Notice

Final.

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions.

This advisory is posted at the following link:
https://security.netapp.com/advisory/NTAP-20200911-0004

Revision History

Revision # Date Comments
1.0 20200911 Initial Public Release
2.0 20200914 E-Series SANtricity OS Controller Software 11.x moved to Affected Products and E-Series SANtricity OS Controller Baseboard Management Controller (BMC) - EF600A, NetApp SANtricity SMI-S Provider, ONTAP Select Deploy administration utility, StorageGRID Baseboard Management Controller (BMC), and StorageGRID9 (9.x and prior) moved to Products Not Affected
3.0 20200917 AFF Baseboard Management Controller (BMC) - A700s, Clustered Data ONTAP Antivirus Connector moved to Affected Products and Cloud Volumes ONTAP Mediator, FAS/AFF Baseboard Management Controller (BMC) - 8300/8700/A400, NetApp VASA Provider for Clustered Data ONTAP 7.2 and above, and Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere 7.2 and above moved to Products Not Affected
4.0 20200921 After additional investigation AFF Baseboard Management Controller (BMC) - A700s moved from Affected Products to Products Not Affected, and Brocade Fabric Operating System Firmware and NetApp Storage Encryption moved to Products Not Affected
5.0 20200922 FAS/AFF Baseboard Management Controller (BMC) and Service Processor moved to Products Not Affected
6.0 20200923 NetApp HCI Baseboard Management Controller (BMC) - H610C, NetApp HCI Baseboard Management Controller (BMC) - H610S, NetApp HCI Baseboard Management Controller (BMC) - H615C, OnCommand Workflow Automation, and SnapCenter Plug-in for VMware vSphere moved to Products Not Affected
7.0 20200924 OnCommand Insight moved to Products Not Affected
8.0 20200928 Active IQ Unified Manager (formerly OnCommand Unified Manager) for Windows 7.3 and above, Active IQ Unified Manager (formerly OnCommand Unified Manager) for VMware vSphere 9.5 and above and Active IQ Unified Manager (formerly OnCommand Unified Manager) for Linux 7.3 and above moved to Affected Products
9.0 20201006 NetApp HCI Baseboard Management Controller (BMC) - H410C moved to Affected Products and NetApp HCI Baseboard Management Controller (BMC) - H300S/H500S/H700S/H300E/H500E/H700E/H410S moved to Products Not Affected
10.0 20201012 SnapDrive for Windows moved to Affected Products
11.0 20201019 SnapDrive moved to Products Not Affected and SnapDrive for Unix moved to Affected Products
12.0 20201030 NetApp SMI-S Provider moved to Affected Products
13.0 20201123 Clustered Data ONTAP added to Software Versions and Fixes
14.0 20201126 NetApp Converged Systems Advisor Agent moved to Products Not Affected
15.0 20210105 NetApp Plug-in for Symantec NetBackup moved to Won't Fix status
16.0 20210119 Active IQ Unified Manager (formerly OnCommand Unified Manager) for VMware vSphere 9.5 and above added to Software Versions and Fixes
17.0 20210121 Clustered Data ONTAP 9.8 added to Software Versions and Fixes, Impact and Workarounds updated for Clustered Data ONTAP
18.0 20210222 NetApp E-Series Performance Analyzer moved to Products Not Affected
19.0 20210225 Clustered Data ONTAP 9.6P13 added to Software Versions and Fixes
20.0 20210315 Clustered Data ONTAP Antivirus Connector added to Software Versions and Fixes
21.0 20210420 After additional review NetApp HCI Baseboard Management Controller (BMC) - H410C moved from Affected Products to Products Not Affected
22.0 20210428 After additional review Active IQ Unified Manager for Linux, and Active IQ Unified Manager for Microsoft Windows moved from Affected Products to Products Not Affected
23.0 20210508 SnapDrive for Windows added to Software Versions and Fixes
24.0 20210511 CVSS Score adjusted to align to NVD
25.0 20210528 Clustered Data ONTAP 9.5P17 added to Software Versions and Fixes
26.0 20210616 E-Series SANtricity OS Controller Software 11.x added to Software Versions and Fixes
27.0 20211101 NetApp SolidFire Baseboard Management Controller (BMC) moved to Won't Fix status
28.0 20211108 SnapDrive for Unix added to Software Versions and Fixes
29.0 20211126 NetApp SMI-S Provider added to Software Versions and Fixes
30.0 20220106 NetApp Cloud Backup (formerly AltaVault) moved to Won't Fix status
31.0 20240102 NetApp Cloud Backup OST Plug-in (formerly AltaVault OST Plug-in) moved to Won't Fix status, Final status

This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp. NetApp is not responsible for any errors or omissions that may be contained herein, and no warranty, representation, or other legal commitment or obligation is being provided by NetApp. © 2024 NetApp, Inc. All rights reserved. No portions of this document may be reproduced without prior written consent of NetApp, Inc.