NetApp Clustered Data ONTAP Vulnerabilities - Lenovo Support NL

**Lenovo Security Advisory:**LEN-56879

**Potential Impact:**Unauthorized modification, information disclosure

**Severity:**Medium

**Scope of Impact:**Industry-wide

**CVE Identifier:**CVE-2020-8578, CVE-2020-8581, CVE-2020-8588, CVE-2020-8589, CVE-2020-8590

Summary Description:

NetApp reported the following vulnerabilities in NetApp Clustered Data ONTAP.

CVE-2020-8578: NetApp Clustered Data ONTAP versions prior to 9.3P20 are susceptible to a vulnerability which could allow an attacker to discover node names via AutoSupport bundles even when the –remove-private-data parameter is set to true.

CVE-2020-8581: NetApp reported that NetApp Clustered Data ONTAP versions prior to 9.3P20 and 9.5 are susceptible to a vulnerability which could allow an authenticated but unauthorized attacker to overwrite arbitrary data when VMware vStorage support is enabled.

CVE-2020-8588: NetApp Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the existence of data on other Storage Virtual Machines (SVMs).

CVE-2020-8589: NetApp Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the names of other Storage Virtual Machines (SVMs) and filenames on those SVMs.

CVE-2020-8590: NetApp Clustered Data ONTAP versions prior to 9.1P18 and 9.3P12 are susceptible to a vulnerability which could allow an attacker to discover node names via AutoSupport bundles even when the –remove-private-data parameter is set to true.

Mitigation Strategy for Customers (what you should do to protect yourself):

NetApp recommends updating to the appropriate NetApp Clustered Data ONTAP version for your product as indicated in the Product Impact section below.