next loom
More Information about the vulnerability can be found here: https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
Could any netapp producted get affected by this alert? especially ONTAP cluster or StorageGrid?
quartz axle
it only affects Linux systems (which ONTAP isn't) with glibc (which ONTAP doesn't use), and the exploit (which might be incorrect anyway according to some sources) has so far only been shown to work on 32-bit architectures (which all NetApp systems in the last 10 years aren't)... so I guess you're safe, but I guess a patch will still be forthcoming for all the "CVE-crazy" admins and SOCs out there 😉
steep heath
Engineering and our PSIRT team are still reviewing.
pliant heron
it only affects Linux systems (which ONTAP isn't) with glibc (which ONTAP doesn'...
64bits are possibly impacted but not tested (reported by Qualys)
quartz axle
they're theoretically impacted, but any successful exploit has to correctly guess an address in 64 bit address space, which is much more unlikely than guessing an address in 32 bit address space (with every bit more the time required doubles, and this is a very slow vulnerability in the first place)
so yeah, still worth fixing but unless you have SSH open to the world you're probably safe for a few years
next loom
ONTAP 9 (formerly Clustered Data ONTAP): While the exploit has not been demonstrated on FreeBSD, ONTAP is not able to be confirmed as not exploitable. The default ONTAP values for LoginGraceTime and MaxStartups reduce the chance of successful exploit.
Upon the update, it sounds like we need to adjust the default values for LoginGraceTime and MaxStartups in order to reduce the risk. Without contacting Support, does anybody here know how to chnage the values and to what?
quartz axle
"the default values reduce the chances of a successful exploit" sounds to me like "the default values are okay"
LoginGraceTime 30 and MaxStartups 10:30:60 seems to be the default (at least that's what it is set to on 9.8, 9.14.1 and 9.15.1)
next loom
Please advise how to find out what default values are on ONTAP 9 OR on 9.11 and 9.12?
quartz axle
it's an OpenSSH setting. So in systemshell you can find the values in /etc/ssh/sshd_config. Note that editing that file is not supported, and may lock you out of your cluster (that has happened to some of our customers in the past)
steep heath
Please open a case before you muck with that. It's not that we don't think you know what to do, but there may be a supported way. We will have patches available soon I'm sure.
next loom
No, we don't need to muck with it, since default values should be fine as indicated by the link.
next loom
One of affected products as indicated by the link https://security.netapp.com/advisory/ntap-20240701-0001/ is "Active IQ Unified Manager for VMware vSphere". what is the product? We have ActiveIQ UM running on Linux server. I am not clear on what differences betweet these two?
fallen shale
One of affected products as indicated by the link https://security.netapp.com/ad...
You are running the application, the affected product is an appliance that runs directly on vsphere via deployed guest.
hollow ledge
