#The regreSSHion Bug is back...

1 messages · Page 1 of 1 (latest)

cosmic walrus
#

And ONTAP seems to be affected? CVE-2024-6387

broken creek
cosmic walrus
broken creek
#

affected does not mean it's vulnerable though

cosmic walrus
broken creek
#

Yes, but only x86 is currently exploitable.
And as Qualys states "OpenBSD systems are unaffected by this bug". Since ONTAP is FreeBSD based could be ONTAP is also not vulnerable.

#

In the end we have to wait what NetApp says 🙂

cosmic walrus
#

I am looking forward to 9.15.1 where I think they will add an easier way to apply security fixes possibly without reboots (that's what I heard)...

broken creek
#

That would be news to me. You may be thinking about improvements for certain firmware-updates like BIOS, TPM, etc. which often would lead to multiply reboots. They claimed improving that so 1x reboot during ONTAP-update should be enough most of the times.

#

But I'm not aware that you could patch anything inside ONTAP without any reboot.

odd willow
#

Just because ONTAP announces any particular version (that is not ONTAP) does not necessarily mean it is that version. Netapp dues not always update version information when a module is used in ONTAP.

I see this all the time in security vulnerability scans performed externally where the scan has no idea it is scanning a Netapp. Once the scan is given a read-only account to scan internally, it usually works fine.

main berry
#

in any case, only glibc-based systems are affected by that CVE, and an exploit has only been demonstrated for x86, not x86-64. So ONTAP is almost certainly safe. Especially if your ONTAP is reachable only inside the LAN and not through the internet.
But the whole CVE system is flawed anyway 🤷‍♂️

cyan hemlock
#

ONTAP is affected acccoridng to that advisory.

Edit: Oops under investigation...