NetApp: Three Security Advisories on Resolved Vulnerabilities

NetApp, Inc. had published 3 security advisories concerning vulnerabilities in its products.

CVE-2023-20862 Spring Security vulnerability in NetApp products

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions.

Advisory ID: NTAP-20230526-0002
Version: 5.0
Last updated: 11/01/2023
Status: Final.
CVEs: CVE-2023-20862

Summary
Multiple NetApp products incorporate Spring Security. Spring Security versions 6.0.0 prior to 6.0.3, 5.8.0 prior to 5.8.3, and 5.7.0 prior to 5.7.8 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

Impact
Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

Active IQ Unified Manager for Linux, Active IQ Unified Manager for VMware vSphere, Active IQ Unified Manager for VMware vSphere: Affects only versions 9.11 and 9.12.

Vulnerability scoring details

CVE	Score	Vector
CVE-2023-20862	9.8 (CRITICAL)	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation and public announcements
NetApp is aware of public discussion of this vulnerability.

References: https://spring.io/security/cve-2023-20862

Affected products

• Active IQ Unified Manager for Linux

• Active IQ Unified Manager for Microsoft Windows

• Active IQ Unified Manager for VMware vSphere

Software versions and fixes
NetApp’s currently available patches are listed below.

Product	First fixed in release
Active IQ Unified Manager for Microsoft Windows	https://mysupport.netapp.com/site/products/all/details/activeiq_um/downloads-tab/download/62791/9.13P1/
Active IQ Unified Manager for VMware vSphere	https://mysupport.netapp.com/site/products/all/details/activeiq_um/downloads-tab/download/62791/9.13P1/
Active IQ Unified Manager for Linux	https://mysupport.netapp.com/site/products/all/details/activeiq_um/downloads-tab/download/62791/9.13P1/

Workarounds : None at this time.

Obtaining software fixes
Software fixes will be made available through the NetApp Support website in the Software Download section.

Customers who do not have access to the Support website should contact Technical Support at the number below to obtain the patches.

Contact information
Check http://mysupport.netapp.com for further updates.
For questions, contact NetApp at:

Technical Support
mysupport.netapp.com
1 888 4 NETAPP (1 888 463 8277) (U.S. and Canada)
+00 800 44 638277 (EMEA/Europe)
+800 800 80 800 (Asia/Pacific)

Status of this notice : Final
This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions. This advisory is posted at this link:

Revision history

Revision #	Date	Comments
1.0	20230526	Initial public release
2.0	20230526	Active IQ Unified Manager added to Impact
3.0	20230628	SnapCenter Plug-in for VMware vSphere moved to Products Not Affected
4.0	20230801	Brocade SAN Navigator (SANnav) moved to Products Not Affected
5.0	20231101	Active IQ Unified Manager for Linux, Active IQ Unified Manager for Microsoft Windows, and Active IQ Unified Manager for VMware vSphere added to Software Versions and Fixes, Final status

This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp. NetApp is not responsible for any errors or omissions that may be contained herein, and no warranty, representation, or other legal commitment or obligation is being provided by NetApp.

CVE-2016-1000027 Spring Framework vulnerability in NetApp products

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions.

Advisory ID: NTAP-20230420-0009
Version: 6.0
Last updated: 11/01/2023
Status: Final.
CVEs: CVE-2016-1000027

Summary
Multiple NetApp products incorporate Spring Framework. Pivotal Spring Framework versions prior to 6.0.0 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

Impact
Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

Vulnerability scoring details

CVE	Score	Vector
CVE-2016-1000027	9.8 (CRITICAL)	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation and public announcements
NetApp is aware of public discussion of this vulnerability.

References: https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626

Affected products

• Brocade SAN Navigator (SANnav)

Software versions and fixes
NetApp’s currently available patches are listed below.

Product	First fixed in release
Brocade SAN Navigator (SANnav)	Fixed in 2.3.0.

Workarounds : None at this time.

Obtaining software fixes
Software fixes will be made available through the NetApp Support website in the Software Download section.

Customers who do not have access to the Support website should contact Technical Support at the number below to obtain the patches.

Contact information: Check http://mysupport.netapp.com for further updates.
For questions, contact NetApp at:

Technical Support
mysupport.netapp.com
1 888 4 NETAPP (1 888 463 8277) (U.S. and Canada)
+00 800 44 638277 (EMEA/Europe)
+800 800 80 800 (Asia/Pacific)

Status of this notice : Final
This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions.

This advisory is posted at this link.

Revision history

Revision #	Date	Comments
1.0	20230420	Initial public release
2.0	20230503	SnapCenter moved to Products Not Affected
3.0	20230505	Active IQ Unified Manager for Microsoft Windows, Active IQ Unified Manager for VMware vSphere, Active IQ Unified Manager for Linux moved to Products Not Affected
4.0	20230512	7-Mode Transition Tool moved to Products Not Affected
5.0	20230606	SnapCenter Plug-in for VMware vSphere moved to Products Not Affected
6.0	20231101	Brocade SAN Navigator (SANnav) moved to Affected Products and added to Software Versions and Fixes, Final status

This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp.

CVE-2023-4863 Libwebp vulnerability in NetApp products

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions.

Advisory ID: NTAP-20230929-0011
Version: 6.0
Last updated: 11/02/2023
Status: Final.
CVEs: CVE-2023-4863

Summary
Multiple NetApp products incorporate libwebp. Libwebp versions prior to 1.3.2 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

Impact
Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

Active IQ Unified Manager for VMware vSphere: Versions 9.8, 9.10 and 9.11 are not affected, versions 9.12 and 9.13 are affected.

Vulnerability scoring details

CVE	Score	Vector
CVE-2023-4863	8.8 (HIGH)	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitation and public announcements
NetApp is aware of public discussion of this vulnerability.

References : https://github.com/webmproject/libwebp/releases/tag/v1.3.2

Affected products

• Active IQ Unified Manager for VMware vSphere

Software versions and fixes
NetApp’s currently available patches are listed below.

Product	First Fixed in Release
Active IQ Unified Manager for VMware vSphere	https://mysupport.netapp.com/site/products/all/details/activeiq_um/downloads-tab/download/62791/9.13P1/

Workarounds : None at this time.

Obtaining software fixes
Software fixes will be made available through the NetApp Support website in the Software Download section.

Customers who do not have access to the Support website should contact Technical Support at the number below to obtain the patches.

Contact information
Check http://mysupport.netapp.com for further updates.
For questions, contact NetApp at:

Technical Support
mysupport.netapp.com
1 888 4 NETAPP (1 888 463 8277) (U.S. and Canada)
+00 800 44 638277 (EMEA/Europe)
+800 800 80 800 (Asia/Pacific)

Status of this Notice : Final.

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions.

This advisory is posted at this link.

Revision history

Revision #	Date	Comments
1.0	20230929	Initial public release
2.0	20231004	ONTAP Select Deploy administration utility moved to Products Not Affected
3.0	20231010	ONTAP tools for VMware vSphere and NetApp SolidFire & HCI Management Node moved to Products Not Affected
4.0	20231013	FAS/AFF BIOS – 2820 and FAS/AFF BIOS – A900/9500 moved to Products Not Affected
5.0	20231101	Active IQ Unified Manager for VMware vSphere added to Software Versions and Fixes
6.0	20231102	BlueXP Classification moved to Products Not Affected, Final status

This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp.