5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.952 High
EPSS
Percentile
99.2%
Multiple N series products incorporate the OpenSSL software libraries to provide cryptographic capabilities. OpenSSL versions below 1.0.2h and 1.0.1t are susceptible to vulnerabilities that could lead to out-of-bound writes, heap corruption, man-in-the-middle attacks, memory exhaustion, or arbitrary information disclosure. Multiple N series Products have addressed the applicable CVE.
CVEID: CVE-2016-0800**
DESCRIPTION:** OpenSSL could allow a remote attacker to bypass security restrictions. By using a server that supports SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle, an attacker could exploit this vulnerability to decrypt TLS sessions between clients and non-vulnerable servers. This vulnerability is also known as the DROWN attack.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111139 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Data ONTAP operating in 7-Mode: 8.2.1, 8.2.2, 8.2.3, 8.2.4;
N series Snap Creator Framework: 4.1.0, 4.1.2, 4.3;
SnapDrive for Unix: 5.2, 5.2.2, 5.3;
SnapDrive for Windows: 7.1.1, 7.1.2, 7.1.3;
For N series Snap Creator Framework: the fix exists from microcode version 4.3.1;
For SnapDrive for Unix: the fix exists from microcode version 5.3.1;
For SnapDrive for Windows: the fix exists from microcode version 7.1.4;
Please contact IBM support or go to this link to download a supported release.
For customers who are using Data ONTAP operating in 7-Mode, please enable TLS then disable SSLv2 and v3 in ONTAP by below method.
TLS is disabled by default and must be enabled prior to disabling SSL to ensure uninterrupted secure communication.
DataMotion for vFiler REQUIRESthat SSLv3 be enabled - enabling only TLSv1 will prevent secure DataMotion from succeeding.
1. Enable TLS using the Data ONTAP command line interface:`
controller1> options tls.enable
tls.enable off
controller1> options tls.enable on
controller1> options tls.enable
tls.enable on ** Note:** If the error
Could not set option for https/ftps traffic. Try againis reported while enabling TLS, run the
secureadmin setup -f ssl` command and then attempt to enable TLS again.
2. Disable only SSLv2 and v3 using the Data ONTAP command line interface:`
controller1> options ssl
ssl.enable on
ssl.v2.enable on
ssl.v3.enable on
controller1> options ssl.v3.enable off
controller1> options ssl.v2.enable off
controller1> options ssl
ssl.enable on <<<< THIS MUST REMAIN ON FOR TLS TO WORK
ssl.v2.enable off
ssl.v3.enable off ** Note:** Even though the
httpdand
ldapoptions mention SSL, they will use TLS when the
SSLv2and
SSLv3` options are disabled.
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.952 High
EPSS
Percentile
99.2%