Security vulnerabilities (formerly scanner results)
Applies to
Scanner Reports
Answer
Security vulnerabilities (formerly scanner results)
NetApp takes the security of our products very seriously and is committed to resolving vulnerabilities to meet the needs of our users and the broader technology community.
As a result of a continually changing threat landscape, NetApp is updating its Product Security Vulnerability Handling and Response Policy. NetApp has stopped maintaining the static tables that previously existed on the Scanner Results page. Recognizing that users are still interested in information related to potential security vulnerabilities, Common Vulnerability Exposure (CVE) identifiers are searchable in our Bug Tools, Knowledgebase, and Support sites.
Our current Security policy is available for review on the NetApp Security landing page: https://security.netapp.com/
Current Advisory and Notice Documents
This page will not be updated for new CVEs. Security advisories for announced vulnerabilities can be located here: https://security.netapp.com/advisory/
The Support and Security Advisory sites should become the first stop when searching for CVEs impacting NetApp products.
The following are tables that can help you understand legacy security vulnerabilities related to NetApp products that third-party security scanners might report.
TABLE A describes CVEs that identify security vulnerabilities applicable to a NetApp product.
TABLE B describes CVEs that identify security vulnerabilities that might be reported by vulnerability scanners. These vulnerabilities constitute 'false positives' reported by vulnerability scanners for user-shipped releases and thus are not believed to represent security exposures for the NetApp products.
The columns display the CVE number and the NetApp bug tracking number (referred to as a tracking ID on other security pages) where possible, or a title where a bug tracking number is not available.
It is strongly recommended that end users implement layers of security following security best-practices, including running antivirus tools on the data. NetApp storage systems function like file systems to any attached clients. While NetApp products might not propagate a given issue, the files and other data objects stored on a NetApp storage system can still be affected by an infected client.
TABLE A: Applicable CVEs
The listed CVEs might have been applicable to at least one release of Data ONTAP. The Public Report for the provided bug tracking number will show the first 'fixed release' when the suspected vulnerability was remediated as well as the subsequent releases that are not subject to the identified vulnerability.
Data ONTAP
CVE |
Bug ID |
CVE-2005-2969 |
|
CVE-2006-4339 |
|
CVE-2008-5077 |
|
CVE-2008-4609 |
|
CVE-2009-3555 |
|
CVE-2009-4146, CVE-2009-4147 |
|
CVE-2009-3563 |
|
CVE-2004-2761 |
|
CVE-2008-5161 |
|
CVE-2006-0225 |
|
CVE-2004-0230 |
|
CVE-1999-0524 |
|
CVE-2011-3210 |
|
CVE-2007-1536 |
|
CVE-2007-3798 |
|
CVE-2008-3890 |
|
CVE-2006-7243, CVE-2010-1128, CVE-2010-1129, CVE-2010-1130, CVE-2010-2094, CVE-2010-2950, CVE-2010-3436, CVE-2010-3709, CVE-2010-3710, CVE-2010-3870, CVE-2010-4150, CVE-2010-4156, CVE-2010-4409, CVE-2010-4645, CVE-2010-4697, CVE-2010-4698, CVE-2010-4699, CVE-2010-4700, CVE-2011-0421, CVE-2011-0708, CVE-2011-0753, CVE-2011-0754, CVE-2011-0755, CVE-2011-1092, CVE-2011-1148, CVE-2011-1153, CVE-2011-1464, CVE-2011-1466, CVE-2011-1467, CVE-2011-1468, CVE-2011-1469, CVE-2011-1470, CVE-2011-1657, CVE-2011-1938, CVE-2011-2202, CVE-2011-2483, CVE-2011-3182, CVE-2011-3267, CVE-2011-3268, CVE-2011-4566, CVE-2012-0057, CVE-2012-0781, CVE-2012-0788, CVE-2012-0789, CVE-2011-4885, CVE-2012-3365, CVE-2012-2688, CVE-2012-1823, CVE-2010-0397, CVE-2010-1860, CVE-2010-1862, CVE-2010-1864, CVE-2010-1917, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190, CVE-2010-2191, CVE-2010-2225, CVE-2010-2484, CVE-2010-2531, CVE-2010-3062, CVE-2010-3063, CVE-2010-3064, CVE-2010-3065 |
|
CVE-2006-5794 |
|
CVE-2012-2110 |
|
CVE-2012-1165 |
|
CVE-2013-0169, CVE-2013-0166, CVE-2012-2333, CVE-2012-2131, CVE-2012-2110, CVE-2012-0884, CVE-2012-0050, CVE-2011-4619, CVE-2011-4577, CVE-2011-4576, CVE-2011-4109, CVE-2011-4108, CVE-2011-0014, CVE-2010-4252, CVE-2010-4180, CVE-2010-3864, CVE-2010-2939, CVE-2010-0742 |
|
CVE-2005-2969 |
|
CVE-2011-1473 |
Management Tools and Client Products
CVE |
Bug ID |
CVE-2004-0942, CVE-2005-2728 |
|
CVE-2007-6203 |
|
CVE-2009-3555 |
|
CVE-2009-3720, CVE-2009-3560, CVE-2010-1623, CVE-2010-2068, CVE-2010-1452, CVE-2010-0425, CVE-2010-0434, CVE-2010-0408, CVE-2009-3094, CVE-2009-3095, CVE-2009-2699, CVE-2009-2412, CVE-2009-1890, CVE-2009-1191, CVE-2009-1891, CVE-2009-1195, CVE-2008-0456, CVE-2009-1956, CVE-2009-1955, CVE-2009-0023 |
|
CVE-2010-4476 |
|
CVE-2010-4476 |
|
CVE-2010-4476 |
|
CVE-2010-4476 |
|
CVE-2011-0419, CVE-2011-3192, CVE-2011-3348 |
|
CVE-2010-4476 |
|
CVE-2012-0021, CVE-2011-3368, CVE-2011-3607, CVE-2011-4317, CVE-2012-0031, CVE-2012-0053, CVE-2011-3192, CVE-2009-0023, CVE-2009-1191, CVE-2009-1195, CVE-2009-1891, CVE-2009-1955, CVE-2009-1956, CVE-2009-1890 |
|
CVE-2012-0884 |
|
CVE-2012-2131 |
|
CVE-2012-1165 |
|
CVE-2013-3320 |
|
CVE-2013-3321 |
|
CVE-2013-3322 |
|
CVE-2013-0169 |
|
CVE-2014-0098, CVE-2013-6438, CVE-2013-4365, CVE-2013-2249, CVE-2013-2765, CVE-2013-1896, CVE-2013-1862, CVE-2012-3499, CVE-2012-4558, CVE-2012-0883, CVE-2012-2687, CVE-2011-3368, CVE-2011-3607, CVE-2011-4317, CVE-2012-0021, CVE-2012-0031, CVE-2012-0053, CVE-2012-4557, CVE-2011-3348, CVE-2011-3192 |
TABLE B: False-Positive and Never Applicable CVEs
These CVEs are either 'false positives' reported by vulnerability scanners or were never applicable to user-shipping versions of the respective NetApp products.
Data ONTAP
CVE |
Bug ID |
CVE-2000-0666 | 706057 |
CVE-2000-0800 | 746293 |
CVE-2005-2798 |
|
CVE-2006-0225 |
|
CVE-2006-0900 |
|
CVE-2004-0175 |
|
CVE-2007-4752 |
|
CVE-2008-1483 |
|
CVE-2008-3259 |
|
CVE-2003-0190 |
|
CVE-2009-1890 |
|
CVE-2010-0434 |
|
CVE-2010-3069 |
|
CVE-2005-1849 |
|
CVE-2011-0546 |
|
CVE-2012-0027, CVE-2011-4577, CVE-2011-4109, CVE-2011-4108 |
|
CVE-2012-0050 |
|
CVE-2003-1562 |
|
CVE-2006-0883 |
|
CVE-2011-4313 |
|
CVE-2011-1910 |
|
CVE-2006-4925 |
|
CVE-1999-0625 |
|
CVE-2012-1182 |
|
CVE-2012-2110 |
|
CVE-2008-1657 |
|
CVE-2011-4327 |
|
CVE-2013-2686, CVE-2013-0169 |
|
CVE-2013-0166 |
|
CVE-2004-0079 |
|
CVE-2004-0112 |
|
CVE-2004-0975 |
|
CVE-2008-0891 |
|
CVE-2009-0590 |
|
CVE-2009-0591 |
|
CVE-2009-3245 |
|
CVE-2009-4355 |
|
CVE-2010-0433 |
|
CVE-2010-0742 |
|
CVE-2010-1633 |
|
CVE-2011-3207 |
|
CVE-2010-1452 |
|
CVE-2010-2068 |
|
CVE-2007-2243 |
|
CVE-2000-1200 |
|
CVE-2006-5794 |
|
CVE-2006-4925 |
Management Tools and Client Products
CVE |
Bug ID |
CVE-2011-0419 |
|
CVE-2012-3499, CVE-2012-4558 |
Disclaimer
NetApp provides no representations or warranties regarding the accuracy, reliability, or serviceability of any information or recommendations provided in this publication, or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS, and the use of this information or the implementation of any recommendations or techniques herein is a customer’s responsibility and depends on the customer’s ability to evaluate and integrate them into the customer’s operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.
Additional Information
additionalInformation_text