search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

NetApp Data ONTAP contains multiple vulnerabilities

Vulnerability Note VU#329772

Original Release Date: 2008-07-25 | Last Revised: 2008-07-28

Overview

NetApp Data ONTAP contains multiple vulnerabilities. The most severe of these vulnerabilities may allow an attacker to execute commands, view sensitive data, or cause a system to crash.

Description

NetApp Data ONTAP contains multiple undisclosed vulnerabilities.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary commands, view log files or other sensitive data, or cause a vulnerable system to crash.

Solution

Upgrade

These issues are fixed in new maintenance releases designated Data ONTAP 7.0.7, 7.1.3, and 7.2.5.1. Administrators with active support agreements are encouraged to log in to the NetApp portal to access more information about these issues:
http://now.netapp.com/NOW/products/cpc/cpc0807-01.shtml
http://now.netapp.com/NOW/products/cpc/cpc0807-02.shtml
http://now.netapp.com/NOW/products/cpc/cpc0807-03.shtml

Operators are advised to upgrade to one of these releases as soon as possible. Administrators running systems with Data ONTAP that were purchased from an OEM other than NetApp should see their OEM for updates.


Restrict access

Some of these vulnerabilities can be mitigated by restricting access to a vulnerable system. Administrators should consider using httpd.admin.access or other access controls.

Vendor Information

329772
 
Expand all

NetApp Affected

Notified:  June 30, 2008 Updated: July 28, 2008

Status

Affected

Vendor Statement

RESOLUTION:

These issues are fixed in new maintenance releases designated Data ONTAP 7.0.7, 7.1.3, and 7.2.5.1, available (with an appropriate NOW account) at:
http://now.netapp.com/NOW/download/software/ontap/7.0.7/download.shtml
http://now.netapp.com/NOW/download/software/ontap/7.1.3/download.shtml
http://now.netapp.com/NOW/download/software/ontap/7.2.5.1/download.shtml
Customers are advised to upgrade to one of these releases as soon as practicable.

Important note for customers using NetApp systems obtained from OEM partners:
Although NetApp has completed testing for these releases, if you obtained NetApp systems from one of our OEM partners, please contact the OEM vendor about the availability of their support with their configurations and compatibility matrices.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer Unknown

Notified:  July 07, 2008 Updated: July 07, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to NetApp for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: None
Severity Metric: 18.04
Date Public: 2008-06-25
Date First Published: 2008-07-25
Date Last Updated: 2008-07-28 17:33 UTC
Document Revision: 16

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis