Product:

Snapmanager

(Netapp)
Repositories https://github.com/madler/zlib
https://github.com/dom4j/dom4j
#Vulnerabilities 180
Date Id Summary Products Score Patch Annotated
2022-05-03 CVE-2022-1292 The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o... Debian_linux, Fedora, A250_firmware, A700s_firmware, Active_iq_unified_manager, Aff_500f_firmware, Aff_8300_firmware, Aff_8700_firmware, Aff_a400_firmware, Clustered_data_ontap, Clustered_data_ontap_antivirus_connector, Fabric\-Attached_storage_a400_firmware, Fas_500f_firmware, Fas_8300_firmware, Fas_8700_firmware, H300e_firmware, H300s_firmware, H410s_firmware, H500e_firmware, H500s_firmware, H700e_firmware, H700s_firmware, Oncommand_insight, Oncommand_workflow_automation, Santricity_smi\-S_provider, Smi\-S_provider, Snapcenter, Snapmanager, Solidfire\,_enterprise_sds_\&_hci_storage_node, Solidfire_\&_hci_management_node, Openssl, Enterprise_manager_ops_center, Mysql_server, Mysql_workbench 9.8
2022-05-03 CVE-2022-1343 The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the... A250_firmware, A700s_firmware, Active_iq_unified_manager, Aff_500f_firmware, Aff_8300_firmware, Aff_8700_firmware, Aff_a400_firmware, Clustered_data_ontap, Clustered_data_ontap_antivirus_connector, Fabric\-Attached_storage_a400_firmware, Fas_500f_firmware, Fas_8300_firmware, Fas_8700_firmware, H300e_firmware, H300s_firmware, H410s_firmware, H500e_firmware, H500s_firmware, H700e_firmware, H700s_firmware, Santricity_smi\-S_provider, Smi\-S_provider, Snapmanager, Solidfire\,_enterprise_sds_\&_hci_storage_node, Solidfire_\&_hci_management_node, Openssl 5.3
2022-05-03 CVE-2022-1434 The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and... A250_firmware, A700s_firmware, Active_iq_unified_manager, Aff_500f_firmware, Aff_8300_firmware, Aff_8700_firmware, Aff_a400_firmware, Clustered_data_ontap, Clustered_data_ontap_antivirus_connector, Fabric\-Attached_storage_a400_firmware, Fas_500f_firmware, Fas_8300_firmware, Fas_8700_firmware, H300e_firmware, H300s_firmware, H410s_firmware, H500e_firmware, H500s_firmware, H700e_firmware, H700s_firmware, Santricity_smi\-S_provider, Smi\-S_provider, Snapmanager, Solidfire\,_enterprise_sds_\&_hci_storage_node, Solidfire_\&_hci_management_node, Openssl 5.9
2022-05-03 CVE-2022-1473 The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time.... A250_firmware, A700s_firmware, Active_iq_unified_manager, Aff_500f_firmware, Aff_8300_firmware, Aff_8700_firmware, Aff_a400_firmware, Clustered_data_ontap, Clustered_data_ontap_antivirus_connector, Fabric\-Attached_storage_a400_firmware, Fas_500f_firmware, Fas_8300_firmware, Fas_8700_firmware, H300e_firmware, H300s_firmware, H410s_firmware, H500e_firmware, H500s_firmware, H700e_firmware, H700s_firmware, Santricity_smi\-S_provider, Smi\-S_provider, Snapmanager, Solidfire\,_enterprise_sds_\&_hci_storage_node, Solidfire_\&_hci_management_node, Openssl 7.5
2022-06-21 CVE-2022-2068 In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems... Sannav, Debian_linux, Fedora, Aff_8300_firmware, Aff_8700_firmware, Aff_a400_firmware, Bootstrap_os, Element_software, Fas_8300_firmware, Fas_8700_firmware, Fas_a400_firmware, H300s_firmware, H410c_firmware, H410s_firmware, H500s_firmware, H610c_firmware, H610s_firmware, H615c_firmware, H700s_firmware, Hci_management_node, Ontap_antivirus_connector, Ontap_select_deploy_administration_utility, Santricity_smi\-S_provider, Smi\-S_provider, Snapmanager, Solidfire, Openssl, Sinec_ins 9.8
2022-11-23 CVE-2022-40303 An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault. Ipados, Iphone_os, Macos, Tvos, Watchos, Active_iq_unified_manager, Clustered_data_ontap, Clustered_data_ontap_antivirus_connector, H300s_firmware, H410c_firmware, H410s_firmware, H500s_firmware, H700s_firmware, Netapp_manageability_sdk, Ontap_select_deploy_administration_utility, Snapmanager, Libxml2 7.5
2022-11-23 CVE-2022-40304 An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. Ipados, Iphone_os, Macos, Tvos, Watchos, Active_iq_unified_manager, Clustered_data_ontap, Clustered_data_ontap_antivirus_connector, H300s_firmware, H410c_firmware, H410s_firmware, H500s_firmware, H700s_firmware, Manageability_software_development_kit, Smi\-S_provider, Snapmanager, Libxml2 7.8
2022-01-18 CVE-2022-23302 JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use... Log4j, Brocade_sannav, Snapmanager, Advanced_supply_chain_planning, Business_intelligence, Business_process_management_suite, Communications_eagle_ftp_table_base_retrieval, Communications_instant_messaging_server, Communications_messaging_server, Communications_network_integrity, Communications_offline_mediation_controller, Communications_unified_inventory_management, E\-Business_suite_cloud_manager_and_cloud_backup_module, Enterprise_manager_base_platform, Financial_services_revenue_management_and_billing_analytics, Healthcare_foundation, Hyperion_data_relationship_management, Hyperion_infrastructure_technology, Identity_management_suite, Identity_manager_connector, Jdeveloper, Middleware_common_libraries_and_tools, Mysql_enterprise_monitor, Tuxedo, Weblogic_server, Reload4j 8.8
2022-01-18 CVE-2022-23305 By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the... Log4j, Brocade_sannav, Snapmanager, Advanced_supply_chain_planning, Business_intelligence, Business_process_management_suite, Communications_eagle_ftp_table_base_retrieval, Communications_instant_messaging_server, Communications_messaging_server, Communications_network_integrity, Communications_offline_mediation_controller, Communications_unified_inventory_management, E\-Business_suite_cloud_manager_and_cloud_backup_module, E\-Business_suite_information_discovery, Enterprise_manager_base_platform, Financial_services_revenue_management_and_billing_analytics, Healthcare_foundation, Hyperion_data_relationship_management, Hyperion_infrastructure_technology, Identity_management_suite, Identity_manager_connector, Jdeveloper, Middleware_common_libraries_and_tools, Mysql_enterprise_monitor, Retail_extract_transform_and_load, Tuxedo, Weblogic_server, Reload4j 9.8
2016-09-21 CVE-2015-8960 The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the "Key... Transport_layer_security, Clustered_data_ontap_antivirus_connector, Data_ontap_edge, Host_agent, Oncommand_shift, Plug\-In_for_symantec_netbackup, Smi\-S_provider, Snap_creator_framework, Snapdrive, Snapmanager, Snapprotect, Solidfire_\&_hci_management_node, System_setup 8.1