Vulnerability scanner reports 'OpenSSH version Not Installed Multiple Vulnerabilities' or to 'Upgrade to OpenSSH version'
Applies to
- ONTAP 9
Answer
Information
This is a common result from vulnerability scanners looking for versions. A product such as ONTAP might choose to not upgrade third-party code when a fix can be backported or configuration changed to address an issue. If there is a fixed version of a product listed in an advisory, then the fix was made regardless of the identified base OpenSSH version. Upgrading the product to avoid a scanner hit will result in maximum effort for short-term gain since OpenSSH will continue to have vulnerabilities discovered.
NetApp security advisories track the exploitability status of our products, not if the products ship vulnerable versions of software. Vulnerability scanners search for vulnerable versions of third-party code (among other things) but do not test for exploitability. The resulting report lists potential vulnerabilities for follow-up, showing that vulnerable versions of code may be in use but should not be considered a report of exploitable issues. Our posted security advisories are the authoritative answers for those issues and should be considered the single source of current, up-to-date, authorized and accurate information from NetApp for the CVE IDs they cover.
Additional Information
What version of OpenSSH is included with each ONTAP release?