search menu icon-carat-right cmu-wordmark

CERT Coordination Center

NetApp Data ONTAP contains multiple vulnerabilities

Vulnerability Note VU#329772

Original Release Date: 2008-07-25 | Last Revised: 2008-07-28

Overview

NetApp Data ONTAP contains multiple vulnerabilities. The most severe of these vulnerabilities may allow an attacker to execute commands, view sensitive data, or cause a system to crash.

Description

NetApp Data ONTAP contains multiple undisclosed vulnerabilities.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary commands, view log files or other sensitive data, or cause a vulnerable system to crash.

Solution

Upgrade

These issues are fixed in new maintenance releases designated Data ONTAP 7.0.7, 7.1.3, and 7.2.5.1. Administrators with active support agreements are encouraged to log in to the NetApp portal to access more information about these issues:
http://now.netapp.com/NOW/products/cpc/cpc0807-01.shtml
http://now.netapp.com/NOW/products/cpc/cpc0807-02.shtml
http://now.netapp.com/NOW/products/cpc/cpc0807-03.shtml

Operators are advised to upgrade to one of these releases as soon as possible. Administrators running systems with Data ONTAP that were purchased from an OEM other than NetApp should see their OEM for updates.


Restrict access

Some of these vulnerabilities can be mitigated by restricting access to a vulnerable system. Administrators should consider using httpd.admin.access or other access controls.

Vendor Information

329772
 
Affected   Unknown   Unaffected

NetApp

Notified:  June 30, 2008 Updated:  July 28, 2008

Status

  Vulnerable

Vendor Statement

RESOLUTION:

These issues are fixed in new maintenance releases designated Data ONTAP 7.0.7, 7.1.3, and 7.2.5.1, available (with an appropriate NOW account) at:
http://now.netapp.com/NOW/download/software/ontap/7.0.7/download.shtml
http://now.netapp.com/NOW/download/software/ontap/7.1.3/download.shtml
http://now.netapp.com/NOW/download/software/ontap/7.2.5.1/download.shtml
Customers are advised to upgrade to one of these releases as soon as practicable.

Important note for customers using NetApp systems obtained from OEM partners:
Although NetApp has completed testing for these releases, if you obtained NetApp systems from one of our OEM partners, please contact the OEM vendor about the availability of their support with their configurations and compatibility matrices.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer

Notified:  July 07, 2008 Updated:  July 07, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to NetApp for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: None
Severity Metric: 18.04
Date Public: 2008-06-25
Date First Published: 2008-07-25
Date Last Updated: 2008-07-28 17:33 UTC
Document Revision: 15

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.