NetApp Published 4 Security Advisors

NetApp, Inc. has published 4 security advisors:

CVE-2021-27004 sensitive information disclosure vulnerability in System Manager 9.x

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.

Advisory ID: NTAP-20211029-0001
Version: 1.0
Last updated: 10/29/2021
Status: Final. CVEs: CVE-2021-27004

Summary
System Manager 9.x versions 9.7 and higher prior to 9.7P16, 9.8P7 and 9.9.1P2 are susceptible to a vulnerability which could allow a local attacker to discover plaintext iSCSI CHAP credentials.

Impact
Successful exploitation of this vulnerability could lead to disclosure of sensitive information.

Vulnerability Scoring Details

CVE	Score	Vector
CVE-2021-27004	2.8 (low)	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Exploitation and public announcements
NetApp is not aware of public discussion regarding this vulnerability.

CVE-2021-27005 denial of service vulnerability in Clustered Data ONTAP

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.

Advisory ID: NTAP-20211029-0002

Version: 1.0

Last updated: 10/29/2021

Status: Final.

CVEs: CVE-2021-27005

Summary
Clustered Data ONTAP versions 9.6 and higher prior to 9.6P16, 9.7P16, 9.8P7 and 9.9.1P3 are susceptible to a vulnerability which could allow a remote attacker to cause a crash of the httpd server.

Impact
Successful exploitation of this vulnerability could lead to Denial of Service (DoS).

Vulnerability scoring details

CVE	Score	Vector
CVE-2021-27005	5.3 (medium)	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitation and public announcements
NetApp is aware of public discussion of this vulnerability.

September 2021 cURL/libcURL vulnerabilities in NetApp products

NetApp will continue to update this advisory as additional information becomes available.

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.

Advisory ID: NTAP-20211029-0003

Version: 1.0

Last updated: 10/29/2021

Status: Interim.

CVEs: CVE-2021-22945, CVE-2021-22946, CVE-2021-22947

Summary
Multiple NetApp products incorporate libcurl. Various versions of Libcurl are susceptible to vulnerabilities which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

Impact
Successful exploitation of these vulnerabilities could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

Vulnerability scoring details

CVE	Score	Vector
CVE-2021-22945	9.8 (critical)	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-22946	7.5 (hifh)	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-22947	5.9 (medium)	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitation and public announcements
NetApp is aware of public discussion of this vulnerability.

CVE-2021-41864 Linux Kernel vulnerability in NetApp products

NetApp will continue to update this advisory as additional information becomes available.

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.

Advisory ID: NTAP-20211029-0004

Version: 1.0

Last updated: 10/29/2021

Status: Interim.

CVEs: CVE-2021-41864

Summary
Multiple NetApp products incorporate Linux Kernel. Linux Kernel versions through 5.14.9 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

Impact
Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).