Security Bulletin
Summary
Multiple N series products incorporate the OpenSSL software libraries to provide cryptographic capabilities. OpenSSL versions below 1.0.2h and 1.0.1t are susceptible to vulnerabilities that could lead to out-of-bound writes, heap corruption, man-in-the-middle attacks, memory exhaustion, or arbitrary information disclosure. Multiple N series Products have addressed the applicable CVE.
Vulnerability Details
CVEID: CVE-2016-0800
DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions. By using a server that supports SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle, an attacker could exploit this vulnerability to decrypt TLS sessions between clients and non-vulnerable servers. This vulnerability is also known as the DROWN attack.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111139 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Affected Products and Versions
Data ONTAP operating in 7-Mode: 8.2.1, 8.2.2, 8.2.3, 8.2.4;
N series Snap Creator Framework: 4.1.0, 4.1.2, 4.3;
SnapDrive for Unix: 5.2, 5.2.2, 5.3;
SnapDrive for Windows: 7.1.1, 7.1.2, 7.1.3;
Remediation/Fixes
For N series Snap Creator Framework: the fix exists from microcode version 4.3.1;
For SnapDrive for Unix: the fix exists from microcode version 5.3.1;
For SnapDrive for Windows: the fix exists from microcode version 7.1.4;
Please contact IBM support or go to this link to download a supported release.
Workarounds and Mitigations
For customers who are using Data ONTAP operating in 7-Mode, please enable TLS then disable SSLv2 and v3 in ONTAP by below method.
TLS is disabled by default and must be enabled prior to disabling SSL to ensure uninterrupted secure communication.
DataMotion for vFiler REQUIRES that SSLv3 be enabled - enabling only TLSv1 will prevent secure DataMotion from succeeding.
1. Enable TLS using the Data ONTAP command line interface:
controller1> options tls.enable
tls.enable off
controller1> options tls.enable on
controller1> options tls.enable
tls.enable on
Note: If the error Could not set option for https/ftps traffic. Try again is reported while enabling TLS, run the secureadmin setup -f ssl command and then attempt to enable TLS again.
2. Disable only SSLv2 and v3 using the Data ONTAP command line interface:
controller1> options ssl
ssl.enable on
ssl.v2.enable on
ssl.v3.enable on
controller1> options ssl.v3.enable off
controller1> options ssl.v2.enable off
controller1> options ssl
ssl.enable on <<<< THIS MUST REMAIN ON FOR TLS TO WORK
ssl.v2.enable off
ssl.v3.enable off
Note: Even though the httpd and ldap options mention SSL, they will use TLS when the SSLv2 and SSLv3 options are disabled.
Get Notified about Future Security Bulletins
References
Change History
12 December 2017: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
Was this topic helpful?
Document Information
Modified date:
15 December 2021
UID
ssg1S1010840