This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Netapp First view 2016-08-31
Product Clustered Data Ontap Last view 2020-04-17
Version - Type Os
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:o:netapp:clustered_data_ontap

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
7.5 2020-04-17 CVE-2020-11868

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp.

7.5 2019-10-25 CVE-2019-5508

Clustered Data ONTAP versions 9.2 through 9.4 are susceptible to a vulnerability which allows an attacker to use l2ping to cause a Denial of Service (DoS).

5.9 2019-10-09 CVE-2019-5506

Clustered Data ONTAP versions 9.0 and higher do not enforce hostname verification under certain circumstances making them susceptible to impersonation via man-in-the-middle attacks.

6.1 2019-09-26 CVE-2019-10092

In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.

7.5 2019-05-15 CVE-2019-8936

NTP through 4.2.8p12 has a NULL Pointer Dereference.

7.5 2019-04-08 CVE-2019-0217

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

7.5 2019-02-27 CVE-2019-5491

Clustered Data ONTAP versions prior to 9.1P15 and 9.3 prior to 9.3P7 are susceptible to a vulnerability which discloses sensitive information to an unauthenticated user.

4.4 2019-02-01 CVE-2018-5498

Clustered Data ONTAP versions 9.0 through 9.4 are susceptible to a vulnerability which allows remote authenticated attackers to cause a Denial of Service (DoS) in NFS and SMB environments. Exploitation of this vulnerability will allow a remote authenticated attacker to cause a Denial of Service (DoS) on affected versions of clustered Data ONTAP configured for multiprotocol access.

4.4 2019-01-24 CVE-2018-5497

Clustered Data ONTAP versions prior to 9.1P16, 9.3P10 and 9.4P5 are susceptible to a vulnerability which discloses sensitive information to an unauthorized user.

5.3 2018-08-17 CVE-2018-15473

OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

8.8 2018-08-03 CVE-2018-5490

Read-Only export policy rules are not correctly enforced in Clustered Data ONTAP 8.3 Release Candidate versions and therefore may allow more than "read-only" access from authenticated SMBv2 and SMBv3 clients. This behavior has been resolved in the GA release. Customers running prior release candidates (RCs) are requested to update their systems to the NetApp Data ONTAP 8.3 GA release.

9.8 2018-03-26 CVE-2018-1312

In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.

7.5 2018-03-26 CVE-2018-1303

A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.

5.9 2018-03-26 CVE-2018-1301

A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.

5.3 2018-03-26 CVE-2018-1283

In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.

8.1 2018-03-26 CVE-2017-15715

In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.

7.5 2018-03-26 CVE-2017-15710

In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.

7.5 2018-01-21 CVE-2016-10708

sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.

6.5 2017-12-18 CVE-2017-14583

NetApp Clustered Data ONTAP versions 9.x prior to 9.1P10 and 9.2P2 are susceptible to a vulnerability which allows an attacker to cause a Denial of Service (DoS) in SMB environments.

7.5 2017-11-13 CVE-2016-8610

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.

5.7 2017-11-09 CVE-2017-5201

NetApp Clustered Data ONTAP before 8.3.2P8 and 9.0 before P2 allow remote authenticated users to obtain sensitive cluster and tenant information via unspecified vectors, a different vulnerability than CVE-2016-3064.

7.5 2017-11-07 CVE-2017-16642

In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.

8.8 2017-08-18 CVE-2017-12420

Heap-based buffer overflow in the SMB implementation in NetApp Clustered Data ONTAP before 8.3.2P8 and 9.0 before P2 allows remote authenticated users to cause a denial of service or execute arbitrary code.

9.8 2017-08-07 CVE-2015-7871

Crypto-NAK packets in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to bypass authentication.

6.5 2017-08-07 CVE-2015-7855

The decodenetnum function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (assertion failure) via a 6 or mode 7 packet containing a long data value.

CWE : Common Weakness Enumeration

%idName
33% (13) CWE-20 Improper Input Validation
17% (7) CWE-200 Information Exposure
5% (2) CWE-476 NULL Pointer Dereference
5% (2) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
5% (2) CWE-287 Improper Authentication
5% (2) CWE-125 Out-of-bounds Read
5% (2) CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflo...
5% (2) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
2% (1) CWE-787 Out-of-bounds Write
2% (1) CWE-772 Missing Release of Resource after Effective Lifetime
2% (1) CWE-732 Incorrect Permission Assignment for Critical Resource
2% (1) CWE-416 Use After Free
2% (1) CWE-362 Race Condition
2% (1) CWE-295 Certificate Issues
2% (1) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')

Snort® IPS/IDS

Date Description
2016-12-29 OpenSSL SSLv3 warning denial of service attempt
RuleID : 40843 - Type : SERVER-OTHER - Revision : 3
2016-12-20 NTP origin timestamp denial of service attempt
RuleID : 40811 - Type : SERVER-OTHER - Revision : 4
2016-03-14 NTP arbitrary pidfile and driftfile overwrite attempt
RuleID : 37526 - Type : SERVER-OTHER - Revision : 3
2016-03-14 NTP arbitrary pidfile and driftfile overwrite attempt
RuleID : 37525 - Type : SERVER-OTHER - Revision : 3
2016-03-14 NTP decodenetnum assertion failure denial of service attempt
RuleID : 36633 - Type : SERVER-OTHER - Revision : 3
2016-03-14 NTP decodenetnum assertion failure denial of service attempt
RuleID : 36632 - Type : SERVER-OTHER - Revision : 3
2016-03-14 NTP crypto-NAK packet flood attempt
RuleID : 36536 - Type : SERVER-OTHER - Revision : 5
2015-10-01 ntpd remote configuration denial of service attempt
RuleID : 36252 - Type : SERVER-OTHER - Revision : 4
2015-10-01 ntpq atoascii memory corruption attempt
RuleID : 36251 - Type : SERVER-OTHER - Revision : 4
2015-10-01 ntpd keyfile buffer overflow attempt
RuleID : 36250 - Type : SERVER-OTHER - Revision : 4

Nessus® Vulnerability Scanner

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-08 Name: The remote EulerOS host is missing a security update.
File: EulerOS_SA-2019-1008.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-065a7722ee.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-6744ca470d.nasl - Type: ACT_GATHER_INFO
2018-12-28 Name: The remote EulerOS Virtualization host is missing a security update.
File: EulerOS_SA-2018-1411.nasl - Type: ACT_GATHER_INFO
2018-12-28 Name: The remote EulerOS Virtualization host is missing a security update.
File: EulerOS_SA-2018-1413.nasl - Type: ACT_GATHER_INFO
2018-12-28 Name: The remote EulerOS host is missing a security update.
File: EulerOS_SA-2018-1431.nasl - Type: ACT_GATHER_INFO
2018-12-10 Name: The remote EulerOS host is missing a security update.
File: EulerOS_SA-2018-1405.nasl - Type: ACT_GATHER_INFO
2018-11-21 Name: The remote EulerOS Virtualization host is missing a security update.
File: EulerOS_SA-2018-1379.nasl - Type: ACT_GATHER_INFO
2018-10-09 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201810-03.nasl - Type: ACT_GATHER_INFO
2018-09-27 Name: The remote Amazon Linux 2 host is missing a security update.
File: al2_ALAS-2018-1075.nasl - Type: ACT_GATHER_INFO
2018-09-18 Name: The remote EulerOS Virtualization host is missing a security update.
File: EulerOS_SA-2018-1254.nasl - Type: ACT_GATHER_INFO
2018-09-14 Name: The remote Fedora host is missing a security update.
File: fedora_2018-f56ded11c4.nasl - Type: ACT_GATHER_INFO
2018-09-07 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2018-1075.nasl - Type: ACT_GATHER_INFO
2018-08-28 Name: The remote Debian host is missing a security update.
File: debian_DLA-1476.nasl - Type: ACT_GATHER_INFO
2018-08-23 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4280.nasl - Type: ACT_GATHER_INFO
2018-08-22 Name: The remote Debian host is missing a security update.
File: debian_DLA-1474.nasl - Type: ACT_GATHER_INFO
2018-08-17 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2018-1_0-0126.nasl - Type: ACT_GATHER_INFO
2018-07-24 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2018-2_0-0037.nasl - Type: ACT_GATHER_INFO
2018-07-24 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2018-2_0-0039.nasl - Type: ACT_GATHER_INFO
2018-07-03 Name: The remote EulerOS host is missing a security update.
File: EulerOS_SA-2018-1212.nasl - Type: ACT_GATHER_INFO
2018-07-03 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2018-1213.nasl - Type: ACT_GATHER_INFO
2018-05-31 Name: The remote Debian host is missing a security update.
File: debian_DLA-1389.nasl - Type: ACT_GATHER_INFO
2018-05-29 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2018-1151.nasl - Type: ACT_GATHER_INFO
2018-05-29 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2018-1152.nasl - Type: ACT_GATHER_INFO
2018-05-14 Name: The remote Fedora host is missing a security update.
File: fedora_2018-e6d9251471.nasl - Type: ACT_GATHER_INFO