Cust Letter Shellshock Hitachi

L a s t M o d i f i e d : 7 - M a y 2 0 1 5

Hitachi Data Systems | Security Vulnerabilities and Product Affectivity 1

Hitachi Data Systems Product Affectivity

for Worldwide Security Vulnerabilities Hitachi Data Systems continuously strives to provide you with the highest quality products and solutions. We take this responsibility very seriously. To this end, we constantly monitor our quality control and storage system test processes to ensure that our products are secure and operating at peak performance. When worldwide security vulnerabilities are identified, our Product Engineering and Global Security teams review with our vendors any potential security threats that the vulnerability may pose within Hitachi Data Systems product and solution offerings. At the completion of the assessment Hitachi Data Systems releases product statements describing any exposure our customers may have to this issue. Our engineering teams prepare circumvention and software fixes for any product affected to ensure that you are protected. A list of worldwide security vulnerabilities is included in the table below. Click the name of the vulnerability to view Hitachi Data Systems product affectivity matrix for that issue.

Security Vulnerability

Description

CVE-2015-1635 HTTP.sys Remote Code Execution Vulnerability April 22, 2015

CVE-2015-1635 HTTP.sys Remote Code Execution Vulnerability: HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."

CVE-2015-0290 & CVE-2015-0291 Open SSL Vulnerability

March 30, 2015

CVE-2015-0290 & CVE-2015-0291 Open SSL Vulnerability: The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash) via unspecified vectors.

FREAK vulnerability (CVE-2015-0204) March 4,2015

CVE-2015-0204-FREAK: The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.

SAMBA CVE-2015-0240 February 23, 2015

CVE-2015-0240-Samba: is a security flaw in the smbd file server daemon. It can be exploited by a malicious Samba client by sending specially-crafted packets to the Samba server. No authentication is required to exploit this flaw. It can result in remotely controlled execution of arbitrary code as root.



Security Vulnerability

Description

GHOST (CVE-2015-0235) January 27, 2015

CVE-2015-0235 -GHOST is a 'buffer overflow' Linux bug affecting the gethostbyname() and

gethostbyname2() function calls in the glibc library. This vulnerability in Linux allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.

NTP (CVE-2014-9293 through CVE-2014-9296) December 22, 2014

Network Time Protocol (NTP) Vulnerability (CVE-2014-9293 through CVE-2014-9296): A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.

POODLE CVE-2014-3566 September 2014

Padding Oracle On Downgraded Legacy Encryption (POODLE): An attacker who acts as man-in-the-middle can force the SSL/TLS protocol to downgrade to version 3.0 if the attacked application supports this old SSL version. This legacy protocol is not secure. Depending on the application, it may be possible for an adversary to mount attacks that can lead to disclosure of secret data such as passwords or HTTP cookies.

Shellshock CVE-2014-6271 September 24, 2014

Shellshock CVE-2014-6271 (and the related issues CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278): This vulnerability affects UNIX-based Bash (Bourne shell) and has the potential to arbitrarily execute code within UNIX environments. Some native services and applications may allow remote unauthenticated attackers to provide environment variables and exploit this issue.

OpenSSL Heartbleed April 2014

OpenSSL Heartbleed: This is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected under normal conditions by the SSL/TLS encryption used to secure the internet. SSL/TLS provides communication security and privacy over the internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

CVE-2015-1635 HTTP.sys Remote Code Execution Vulnerability The following table references Hitachi Data Systems products and solutions affected by the worldwide security issue known as CVE-2015-1635 HTTP.sys Remote Code Execution Vulnerability. Open items are actively updated; please review this table frequently for new details.



(CVE-2015-1635) HTTP.sys Remote Code Execution Vulnerability

Product Type Product Name Affected? Vulnerable? Version More Information

Networking Brocade

VTL BusTech

Networking Cisco Systems

Networking Emulex

Networking Qlogic

Software Application Protector

Software Arkivio

Software Business Continuity Manager

Software CA Integration Module

Software Clinical Repository - Karos

Software Clinical Repository - Visbion

Software Command Director

Software Compute Systems Manager

Software Data Instance Manager

Software Data Protection Suite

Software Device Manager

Software Dual Active ID

Software Dynamic Link Manager

Software Dynamic Replicator

Software e-Copy

Software IT Operations Analyzer

Software IT Operations Analyzer Advance





Software IT Operations Director

Software IT Operations Integrator

Software IT Operations Repository

Software LPAR

Software Microsoft Adapters

Software NanoCopy

Software Oracle Adapters

Software Power Saving

Software Protection Manager

Software Replication Manager

Software Replication Monitor

Software SAP Adapters

Software Sepaton

Software Server Conductor

Software Seven10

Software SpectraLogic

Software Storage Adapter for Petrel

Software Storage Navigator Modular 2

No No

Recommend customer patch OS of management server, if applicable (see Microsoft MS15-034)

Software Storage Optimization for MS SharePoint

Software Storage Services Manager

Software

Storage Viewer Suite

Backup Services Manager (HBSM)

Storage Capacity Reporter (HSCR)





Storage Fabric Reporter (HSFR)

Virtual Server Reporter (HVSR)

File Analytics Reporter (HFAR)

Software StorFirst Apollo

Software Streaming Data Platform

Software Symantec Adapters

Software Tiered Storage Manager

Software Tiered Storage Manager for MF

Software Tuning Manager

Software TurboLUN

Software UCP Orchestration Software

Software Virtual Infrastructure Integrator

Software Virtual Tape Library Diligent

VTL Virtual Tape Library FalconStor





Software VMware Adapters

Software Zone Allocation Manager

Systems Adaptable Modular Storage (AMS)

No No

System does not contain Windows OS.

Systems Adaptable Modular Storage 2000

No No System does not contain Windows OS.

Systems Capacity Optimization

File & Content Content Platform (HCP) No No

File & Content Content Platform Anywhere (HCP-AW)

No No

File & Content HCP S Nodes No No

Systems Data Discovery Suite

Systems Data Discovery Suite for MS SharePoint

File & Content Data Ingestor and HNAS Platform F

No No

HDI and HFSM do not use IIS7 where the vulnerability is found. HDI and HFSM use Hitachi Web Server for web services. If HFSM is installed in a windows server where IIS7 is already running, attacker can attack the windows server through IIS7. In this case please apply a patch or workaround for the windows server.





Systems Essential NAS Platform No No System does not contain Windows OS.

Systems Hitachi Universal Storage VM

No No System does not use affected versions of Windows OS.

File & Content HUS File Module No No System does not contain

Windows OS.

Systems HyperStor

File & Content NAS 3x00 (Titan) No No System does not contain Windows OS.

File & Content NAS 30x0 (Mercury) No No System does not contain Windows OS.

File & Content NAS 4000 Series No No System does not contain Windows OS.

File & Content SMU No No System does not contain Windows OS.

Systems Network Storage Controller (NSC55)


Systems Simple Modular Storage (SMS)


Systems UCP for Microsoft Exchange

Yes Yes ALL Management Stack runs on Windows Server, mitigation under investigation.

Systems UCP Select for Microsoft SQL Server


Systems UCP Select for Oracle Database


Systems UCP Pro (UCP 4000 / 4000e) for VMware vSphere


Systems

UCP Pro (UCP 4000/4000e) for Microsoft Private Cloud


Systems UCP Select for SAP HANA






Systems

UCP Select for VMware View


Systems UCP Select for VMware vSphere


Systems Unified Storage File Module (HUS FM)


Systems Unified Storage (HUS) No No System does not contain Windows OS.

Systems Unified Storage VM (HUS VM)


Systems Universal Storage Platform V (USP V)


Systems

Universal Storage Platform VM (USP VM)


Systems

Hitachi Virtual Storage Platform G1000 (VSP G1000)

No No

SVP is Windows 7, however SVP does not use IIS as a webserver so unaffected. Regardless, patch MS15-034 is forthcoming next SVP Security Update CD (being processed).

Systems Virtual Storage Platform (VSP)


Systems Workgroup Modular Storage WMS


Other Hi-Track Remote Monitoring system

No No


Other Remote Access Control Center (RACC)

No No




CVE-2015-0290 & CVE-2015-0291 Open SSL Vulnerability The following table references Hitachi Data Systems products and solutions affected by the worldwide security issue known as CVE-2015-0290 & CVE-2015-0291 Open SSL Vulnerability. Open items are actively updated; please review this table frequently for new details.

(CVE-2015-0290/0291)


Networking Brocade No No FOS/NOS/BNA

http://www.brocade.com/service

s-support/drivers-

downloads/oscd/index.page?

VTL BusTech

Networking Cisco Systems Under vendor investigation 3/27

Networking Emulex

Networking Qlogic No No


Software Arkivio


No No System does not implement OpenSSL.












(CVE-2015-0290/0291)




Software e-Copy






Software LPAR


Software NanoCopy







Software Sepaton


Software Seven10




No No System does not implement OpenSSL 1.0.2




(CVE-2015-0290/0291)



Software













Software TurboLUN







(CVE-2015-0290/0291)





No No

System does not implement OpenSSL 1.0.2




File & Content Content Platform (HCP) No No All


No No All

File & Content HCP S Nodes No No All




No No Product does not implement

OpenSSL 1.0.2



(CVE-2015-0290/0291)



No No Product does not implement OpenSSL 1.0.2

Systems Essential NAS Platform



File & Content HUS File Module

Systems HyperStor

File & Content NAS 3x00 (Titan)

File & Content NAS 30x0 (Mercury)

File & Content NAS 4000 Series

File & Content SMU









Systems



Systems





(CVE-2015-0290/0291)



Systems Unified Storage (HUS) No No System does not implement OpenSSL 1.0.2





Systems



Systems








Under investigation


Under investigation

CVE-2015-0204 FREAK: Security flaw in Open SSL 1.0x The following table references Hitachi Data Systems products and solutions affected by the worldwide security

issue known as CVE-2015-0240 Samba. Open items are actively updated; please review this table frequently for

new details.

(FREAK)




(FREAK)


Networking Brocade FOS and NOS not affected

BNA 12.3.2 and lower.

12.3.2 and lower if SSL is turned on.

Upgrade to BNA 12.3.4 or higher.

VTL BusTech

Networking Cisco Systems Yes Yes Bug # CSCus42713 has been opened for this issue

Networking Emulex

Networking Qlogic Yes Yes Firmware fix May 15 timeframe


Software Arkivio













Software e-Copy




(FREAK)






Software LPAR


Software NanoCopy







Software Sepaton


Software Seven10




No No Does not use the cipher of type RSA-EXPORT



Software






(FREAK)











Software TurboLUN


NO NO All

Only effects clients when a server indicates the client needs to downgrade the security session. This does not affect the server.






(FREAK)





No No System is never SSL client


No No System is never SSL client


Systems Compute Blade and Compute Rack Products

File & Content Content Platform (HCP) No No All

HCP does not use the affected

ciphers. HCP is not vulnerable.


No No All

HCP Anywhere does not use the

affected ciphers. HCP Anywhere

is not vulnerable.

File & Content HCP S Nodes No No All

HCP S Series is not vulnerable to

CVE-2015-0204. It does not

accept any of the cipher suites

that are vulnerable.



(FREAK)








No No

File & Content HUS File Module Yes No Disable SSLv3 as per 81621

Systems HyperStor

File & Content NAS 3x00 (Titan) Yes No Disable SSLv3 as per 81621

File & Content NAS 30x0 (Mercury) Yes No Disable SSLv3 as per 81621

File & Content NAS 4000 Series Yes No Disable SSLv3 as per 81621

File & Content SMU Yes No Disable SSLv3 as per 81621


No No


No No


NO NO ALL



NO NO ALL



NO NO ALL



NO NO ALL




(FREAK)


Systems


NO NO ALL



NO NO ALL


Systems


NO NO ALL



NO NO ALL



Yes No Disable SSLv3 as per 81621

Systems Unified Storage (HUS) No No System is never SSL client


No No


No No

Systems


No No

Systems


No No


No No


No No


No No


No No



CVE-2015-0204 SAMBA: Security flaw in smbd file srvr daemon The following table references Hitachi Data Systems products and solutions affected by the worldwide security

issue known as CVE-2015-0240 Samba. Open items are actively updated; please review this table frequently for

new details.

(SAMBA)


Networking Brocade No No FOS, NOS, BNA

VTL BusTech Under investigation by vendor

Networking Cisco Systems No No

Networking Emulex



Software Arkivio Under investigation by vendor




Under investigation by vendor


Under investigation by vendor








Software Dynamic Replicator Under investigation by vendor

Software e-Copy



(SAMBA)







Software LPAR


Software NanoCopy







Software Sepaton


Software Seven10 Under investigation by vendor

Software SpectraLogic Under investigation by vendor



No No SNM2 does not contain Linux OS.



Software





(SAMBA)












Software TurboLUN





Low attach rate. Working on patch.



(SAMBA)





No No

Product does not contain Linux OS


No No Product does not contain Linux OS


Systems Compute Blade 2000 No No N/A



Systems Compute Rack 210H/220H/220S

No No N/A

Systems Compute Rack 220 No No N/A



(SAMBA)


File & Content Content Platform (HCP)

HCP 6.x and HCP 7.x systems using the CIFS namespace gateway with Active Directory authentication are vulnerable. A fix for this vulnerability will be included in the 7.1.1 maintenance release and a hotfix for 6.x will be available by 3wwwww March 31st.


HCP Anywhere does not run Samba and is not vulnerable

File & Content HCP S Nodes Under review.




Yes Yes All

HDI Engineering will include a fix

for this vulnerability in a

maintenance release 5.1.1-04.

Customers are encouraged to

upgrade to this release. The

maintenance release is expected

to be delivered to HDS on March

18, 2015.




File & Content HUS File Module No No Does not include Samba

Systems HyperStor

File & Content NAS 3x00 (Titan) No No No LINUX



(SAMBA)


File & Content NAS 30x0 (Mercury) No No Does not include Samba

File & Content NAS 4000 Series No No Does not include Samba

File & Content SMU No No Does not include Samba









Systems



Systems




No No Does not include Samba

Systems Unified Storage (HUS) No No Product does not contain Linux OS





(SAMBA)




Systems



Systems








No No


No No RACC does not support Linux



CVE-2015-0235 GHOST: glibc gethostbyname Buffer Overflow The following table references Hitachi Data Systems products and solutions affected by the worldwide

security issue known as NTP. Open items are actively updated; please review this table frequently for new

details.

(GHOST)


Networking Brocade No No FOS, NOS , BNA

http://www.brocade.com/downloads/documents/technical_support_bulletins/brocade-assessment-gnu-c-library-sa.pdf

VTL BusTech Vendor investigation 1/27/15

Networking Cisco Systems Yes Yes NXOS v6.x, v5.x Bug CSCus68360 is fixed in v5.2(8f) and 6.2(11b)

Networking Emulex



Software Arkivio Vendor investigation 1/27/15


No No BCM does not utilize glibc



Vendor investigation 1/27/15






Software Data Protection Suite Yes Yes Fixed with Service Pak 9

http://documentation.commvault

.com/commvault/v10/article?p=a

nnouncement/announcements.ht

m



(GHOST)





Software Dynamic Replicator Vendor investigation 1/27/15

Software e-Copy






Software LPAR Tbd Tbd Updated expected 3-Feb-14 for: CB 2500, CB 2000, CB 500,

CB 320


Software NanoCopy







Software Sepaton


Software Seven10 Vendor investigation 1/27/15

Software SpectraLogic Vendor investigation 1/27/15




(GHOST)



No No

SNM2 does not contain Linux OS/glibc. Recommend customer upgrade to fixed OS/glibc and then restart SNM2 service.


No No


Software













Software TurboLUN


Yes Yes ALL

Under Investigation




(GHOST)




You can download the patches from the FalconStor Customer Support Portal. update-rhel5x06 for CDP

update-rhel5x06 for NSS

update-rhel5x06 for VTL/SIR







No No

Product does not contain Linux OS, nor glibc library


No No Product does not contain Linux OS, nor glibc library


Systems Compute Blade and Compute Rack Products



(GHOST)




(GHOST)


File & Content Content Platform (HCP) Yes No All

HCP is running impacted versions

of the glibc libraries, however the

vulnerability described in CVE-

2015-0235 is not exploitable via

any HCP gateways (SSH).


Yes No

HCP Anywhere versions 1.3 and

earlier are running impacted

versions of the glibc libraries.

However the vulnerability

described in CVE-2015-0235 is

not exploitable via any HCP

Anywhere gateways. The glibc

libraries will be updated to the

latest non-impacted version in

the 2.0 release of HCP Anywhere

which is scheduled for GA on

March 6, 2015.



(GHOST)


Systems Data Discovery Suite Yes Yes All

HDDS does not use the gethostbyname function of the glibc, therefore under normal operations of HDDS, it is not affected. However, HDS and Red Hat recommend the installation of RHEL 6.2 as there is a security update which should be applied. "GHOST: glibc vulnerability (CVE-

2015-0235)

"https://access.redhat.com/articl

es/1332213

"glibc security update RHSA-

2015:0099"https://rhn.redhat.co

m/errata/RHSA-2015-0099.html


No No


Yes Yes All versions prior to 03-01-00-00

Yes. If the customer uses HDI

before 03-01-00-00, please

upgrade HDI before 03-01-00-00

to 03-01-00-00 or later.


Yes No 03-01-00-00 and above

03-01-00-00 and above versions do not call any of the affected gethostbyname functions and FOS verifies the length of the hostname and rejects processing if the hostname variable is too long.

Systems Essential NAS Platform Yes Yes All No fix is currently planned. Customers should contact their Account team if a fix is required.



File & Content HUS File Module Yes No See Tech Bulletin - 82081

Systems HyperStor



(GHOST)


File & Content NAS 3x00 (Titan) No No No LINUX

File & Content NAS 30x0 (Mercury) Yes No See Tech Bulletin - 82081

File & Content NAS 4000 Series Yes No See Tech Bulletin - 82081

File & Content SMU Yes No See Tech Bulletin - 82081






No No


No No


No No


Yes Yes Fix currently being developed. (1/28/15)

Systems


Yes Yes Fix currently being developed. (1/28/15)


Yes Yes

SUSE Linux Enterprise 11 and older products. Patches have been released and can be found at: This Link

Systems


No No


No No


Yes No See Tech Bulletin - 82081

Systems Unified Storage (HUS) No No Product does not contain Linux OS, nor glibc library



(GHOST)




Universal Storage Platform V

Systems (USP V) No No Product does not contain Linux OS, nor glibc library

Systems



Systems








No No


No No RACC does not support Linux



NTP (CVE-2014-9293 through CVE-2014-9296) The following table references Hitachi Data Systems products and solutions affected by the worldwide security

issue known as NTP. Open items are actively updated; please review this table frequently for new details.

(NTP)


Networking Brocade No No FOS, NOS and BNA.

NTP VU#852879 Vulnerability Assessment for Brocade

VTL BusTech Vendor investigation 1/8/15

Networking Cisco Systems Yes Yes MDS products are affected

Bug ID CSCus26870 fixed in NXOS 5.2(8f), 6.2(11b)

Networking Emulex



Software Arkivio Vendor investigation 1/8/15


No No Product does not utilize ntpd








Software Data Discovery Suite for MS SharePoint








(NTP)



No dependency on NTP for

Scout.(only if you use it to sync

with a time server for sync.

And you can get around these

security vulnerabilities by

updating the with latest NTP

RPMs

For RHEL, please look at :

https://rhn.redhat.com/errata/R

HSA-2014-2024.html

Software e-Copy

File & Content Extension Pack for Secure FTP







Software NanoCopy







(NTP)




Software Sepaton


Software Seven10 Vendor investigation 1/8/15

Software SpectraLogic Yes Low Verde Tape not affected Disk low impact, however Patch being released. Fix in new version.






Software














(NTP)



Software TurboLUN


Yes Yes All Versions




Affected. Working on patch for current version, addressed in future versions. 1-8-15










(NTP)


Systems

Compute Blade and Compute Rack Products

CVE-2014-9294 is not applicable to any product

CVE-2014-9296 is not applicable to any product



(NTP)


File & Content Content Platform (HCP) and Content Platform Anywhere (HCP-AW)

No No

External time servers connected to HCP should be secure and trusted servers that should be updated to NTP 4.2.8 or greater



File & Content Data Ingestor No No

System does not use Key Authentication and discards connection requests exploited by vulnerability



File & Content HUS File Module Yes

Systems HyperStor

File & Content NAS 3x00 (Titan) No No Not a LINUX base, custom NTP

File & Content NAS 30x0 (Mercury) Yes Limited (no Internet)

All GA Fix will be available in 12.1MR (TBD) in Feb 2015

File & Content NAS 4000 Series Yes Limited (no Internet)

All GA Fix will be available in 12.1MR (TBD) in Feb 2015

File & Content SMU Yes Limited (no Internet) All GA

Fix will be available in SMU 12.1.3613.08, 12.2.3753.07 in Feb 2015

File & Content NAS Platform F No No

System does not use Key Authentication and discards connection requests exploited by vulnerability






No No NTP issue is found in UCP Director only.







(NTP)



Yes Yes NTP issue is found in UCP Director only.

Systems




No

No

NTP issue is found in UCP Director only.

Systems






Systems Unified Storage (HUS) No No Product does not utilize ntpd





Systems (USP V)

Systems


No

No

Product does not utilize ntpd

Systems









(NTP)



No No


No No

Poodle CVE-2014-3566 The following table references Hitachi Data Systems products and solutions affected by the worldwide security

issue known as Poodle. Open items are actively updated; please review this table frequently for new details.

(POODLE)

Product Type

Product Name Affected? Vulnerable? Version More Information

Networking Brocade Yes Yes FOS 6.x FOS 7.x

Fix issued in the following FOS releases: 6.4.3g; 7.02f; 7.1.2c; 7.2.1d; 7.3.0c

VTL BusTech Under Investigation as of 10-16

Networking Cisco Systems Yes Yes NX-OS 5.x; 6.x

Fixed in the following NXOS releases: 5.2(8e), 6.2(9a) and 6.2(11b)

Networking Emulex No No

Networking Qlogic Yes Yes 8.0.14.12 and below

Fixed in firmware 8.0.14.13.00


Software Arkivio Under Investigation as of 10-16


Yes No All BCM does not use SSL, but IBM HTTP Server (HIS) uses SSL communications between BCM and HRpM. IBM recommends disabling SSL v3.




(POODLE)

Product Type



Yes Low Has statement.


No Under Investigation as of 10-16

Software Command Director No


Yes Need to disable SSL v3 on server side and use other secure communication method with client side.




Software Device Manager Yes Need to disable SSL v3 on server side and use other secure communication method with client side.



No Need to disable SSL v3 on server side and use other secure communication method with client side.

Software Dynamic Replicator Under Investigation as of 10-16.

Software e-Copy

File & Content

Extension Pack for Secure FTP





Software IT Operations Director Yes Need to disable SSL v3 on server side and use other secure communication method with client side.



(POODLE)

Product Type







Software NanoCopy




Software Replication Manager Yes Need to disable SSL v3 on server side and use other secure communication method with client side.


Software SAP Adapters Under Investigation as of 10-16

Software Sepaton


Software Seven10 No

Software SpectraLogic Under Investigation as of 10-16



Yes Low Risk

V4 and above for DF850 V21 and above for DF800

SNM2 GUI is affected (NOT CLI, NOT API). Fix schedule TBD, Alert pending. Suggest disabling SSL v3 in web browser for interim



Software





(POODLE)

Product Type








No





Software Tuning Manager Yes Need to disable SSL v3 on server side and use other secure communication method with client side.

Software TurboLUN





Not affected




(POODLE)

Product Type



Systems Adaptable/Workgroup Modular Storage (AMS/WMS)

Not affected


Yes Low Risk V04 and later

082030


Systems Compute Blade 2000




Systems Compute Rack 220

File & Content

Content Platform (HCP) and Content Platform Anywhere (HCP-AW)

081645



File & Content

Data Ingestor Yes Low Risk All Fix schedule TBD

File & Content

High-performance NAS Platform


Yes Low Risk All 81729

File & Content

HUS File Module

Systems HyperStor

File & Content

NAS 3x00 (Titan) YES Low Risk Release 8.x



(POODLE)

Product Type


File & Content

NAS 30x0 (Mercury) YES Low Risk Prior to 12.1

File & Content

NAS 4000 Series YES Low Risk Prior to 12.1

File & Content

SMU YES Low Risk Prior to 12.2

File & Content

NAS Platform F Yes Low Risk All Fix schedule TBD


TBD


Yes Low Risk V04 and later

Fix schedule TBD, Alert pending

File & Content

Titan


Systems UCP for Microsoft SQL Server

Systems UCP for Oracle Database

Systems UCP Pro for VMware vSphere

Systems Systems

UCP Pro for VMware vSphere UCP Select for Citrix XenDesktop

Systems Systems Systems

UCP Pro for VMware vSphere UCP Select for Citrix XenDesktop UCP Select for Microsoft Private Cloud

Systems UCP Select for Oracle




(POODLE)

Product Type


Systems Systems

UCP Select for SAP HANA UCP Select for VMware View

Systems Systems Systems

UCP Select for SAP HANA UCP Select for VMware View UCP Select for VMware vSphere

Systems Unified Storage (HUS) Yes Low Risk All 082030

File & Content

Unified Storage File Module (HUS FM)



Systems


Yes

Low Risk

All 81729

(USP V)

Systems Universal Storage Platform VM (USP VM)


Systems Hitachi Virtual Storage Platform G1000 (VSP G1000)

Yes Low Risk All Only SMI-S is affected (SN/SVP not affected), 81729




No No


No No



Shellshock CVE-2014-6271 The following table references Hitachi Data Systems products and solutions affected by the worldwide security issue known as Shellshock. Open items are actively updated; please review this table frequently for new details.

(Shellshock)


Networking Brocade Yes Yes FOS 6.x, 7.x Fixed in FOS 6.4.3g; 7.1.2b; 7.2.1d; 7.3.0b

VTL BusTech TBD Under investigation

Networking Cisco Systems Yes Yes NXOS 5.x; 6.x

Fixed in NXOS 5.2(8e); 6.2(9a)

Networking Ctera No

Networking Emulex No No

Networking Qlogic Yes Yes 8.0.14.12 and below

Fixed in firmware 8.0.14.13.00


TBD

Software Arkivio TBD Under investigation


TBD


TBD


No


No


No


No


TBD


TBD


TBD



(Shellshock)


Software Device Manager No

Software Dual Active ID TBD


No


No Under investigation

Software e-Copy TBD

File & Content Extension Pack for Secure FTP

Yes No Alert #81524


TBD


TBD


TBD


TBD


TBD


TBD

Software NanoCopy TBD

Software Oracle Adapters TBD

Software Power Saving TBD


No


No


No

Software SAP Adapters TBD

Software Sepaton TBD


TBD

Software Seven10 No

Software SpectraLogic TBD


TBD



(Shellshock)



No No 81554


TBD


TBD

Software Storage Viewer Suite Backup Services Manager (HBSM) Storage Capacity Reporter (HSCR) Storage Fabric Reporter (HSFR) Virtual Server Reporter (HVSR) File Analytics Reporter (HFAR)

No

Software StorFirst Apollo No


TBD


TBD


No


No

Software Tuning Manager No

Software TurboLUN TBD



(Shellshock)



Yes Yes If you are using versions of Bash in operating systems based on SUSE Linux Enterprise 9, 10 or 11, your servers are potentially at risk. If your systems are compromised, we recommend that you patch your systems right away. Follow this link for the security update from SUSE:

https://www.suse.com/support/update/announcement/2014/suse-su-20141247-1.html


TBD


TBD


Yes Yes Current Patch is available on falconstore.com


TBD


TBD


No

No 81554


No No 81554


TBD


No No N/A


No No N/A


No No N/A



(Shellshock)



No No N/A

Systems Compute Rack 220

No No N/A

File & Content Content Platform (HCP) and Content Platform Anywhere (HCP-AW)

No No All Alert #81528


No Dependent Customer responsible to patch Red Hat Linux installation


No

File & Content Data Ingestor Yes No All Alert #81520

File & Content High-performance NAS Platform

Yes No Alert #81511


No No 81554

File & Content HUS File Module

Yes No Alert #81511

Systems HyperStor TBD

File & Content Mercury Yes No Alert #81511

File & Content NAS 4000 Series Yes No Alert #81511

File & Content NAS Platform Yes No Alert #81511

File & Content NAS Platform F Yes No Alert #81528


No No 81554


No No 81554

File & Content Titan Yes No Alert #81511



(Shellshock)



No No

Systems UCP for Microsoft SQL Server

No No

Systems UCP for Oracle Database

No No

Systems UCP Pro for VMware vSphere

Yes Yes Under investigation

Systems UCP Select for Citrix XenDesktop

No No

Systems UCP Select for Microsoft Private Cloud

No No

Systems UCP Select for Oracle

No No


Yes Yes SUSE Linux Enterprise 9, 10, 11

If you are using versions of Bash in operating systems based on SUSE Linux Enterprise 9, 10 or 11, your servers are potentially at risk. If your systems are compromised, we recommend that you patch your systems right away. Follow this link for the security update from SUSE:

https://www.suse.com/support/update/announcement/2014/suse-su-20141247-1.html

Systems UCP Select for VMware View

No No


No No

Systems Unified Storage (HUS)

No No 81554



(Shellshock)


File & Content Unified Storage File Module (HUS FM)

Yes No 81511


No No 81554


No No 81554

Systems Universal Storage Platform VM (USP VM)

No No 81554

Systems Hitachi Virtual Storage Platform G1000 (VSP G1000)

No No 81554


No No 81554


No No 81554


No No


No No



OpenSSL Heartbleed The following table references Hitachi Data Systems products and accessories affected by the worldwide security issue known as OpenSSL Heartbleed. Open items are actively updated; please review this table frequently for new details.

(Heartbleed)

Product Type Product Name Affected? Version More Information Networking Asempra No

Networking Brocade No FOS, NOS, BNA

Networking BusTech No

Networking Ciena No

Networking Cisco Systems No

See Cisco.com. Advisory ID: cisco-sa-20140409-heartbleed

Networking Ctera No

Networking Emulex No

Networking Qlogic No

Software Application Protector No

Software Arkivio No



Software Clinical Repository - Karos No

Software Clinical Repository - Visbion Yes v1, v2 680669

Software Command Director No

Software Compute Systems Manager No

Software Data Discovery Suite for MS SharePoint No

Software Data Instance Manager No

Software Data Protection Suite No

Software Device Manager No


Software Dynamic Link Manager No


Software e-Copy

Software Extension Pack for Secure FTP Yes All Patch Available April 14, 2014

Software IT Operations Analyzer No

Software IT Operations Analyzer Advance No

Software IT Operations Director No

Software IT Operations Integrator No

Software IT Operations Repository No

Software Microsoft Adapters No

Software NanoCopy



(Heartbleed)

Product Type Product Name Affected? Version More Information Software Oracle Adapters No


Software Protection Manager No

Software Replication Manager No

Software Replication Monitor No

Software SAP Adapters No

Software Sepaton No


Software Seven10 No

Software SpectraLogic No


Software Storage Navigator Modular 2 No



Software Storage Viewer Suite Backup Services Manager (HBSM) Storage Capacity Reporter (HSCR) Storage Fabric Reporter (HSFR) Virtual Server Reporter (HVSR) File Analytics Reporter (HFAR)

No



Software Symantec Adapters No

Software Tiered Storage Manager No

Software Tiered Storage Manager for MF No

Software Tuning Manager No

Software TurboLUN

Software UCP Orchestration Software Yes 2.x, 3.x 080667

Software Virtual Infrastructure Integrator No

Software Virtual Tape Library Diligent No

Software Virtual Tape Library FalconStor No

Software VMware Adapters No


Systems 5700 Series No




Systems 9500 V Series No




(Heartbleed)

Product Type Product Name Affected? Version More Information Systems 9900 V Series No

Systems Adaptable Modular Storage (AMS) No

Systems Adaptable Modular Storage 2000 No


Systems Compute Blade 2000 Yes 080852

Systems Compute Blade 500 Yes 080850

Systems Compute Blade 320 No

Systems Compute Rack 210H/220H/220S Yes 080854

Systems Compute Rack 220 No

Systems Content Archive Platform No

Systems Content Platform (HCP) No

Systems Content Platform Anywhere (HCP-AW) No

Systems Data Discovery Suite No

Systems Data Discovery Suite for MS SharePoint No

Systems Data Ingestor No

Systems Essential NAS Platform No

Systems High-performance NAS Platform No

Systems Hitachi Universal Storage VM Yes

Systems HUS File Module Yes 11.1.3200.00 + 080654

Systems HyperStor

Systems Mercury Yes 11.1.3200.00 + 080654

Systems NAS 4000 Series Yes 11.1.3200.00 + 080654

Systems NAS Platform Yes 11.1.3200.00 + 080654

Systems NAS Platform F No

Systems Network Storage Controller (NSC55) No

Systems Simple Modular Storage (SMS) No

Systems Titan No

Systems UCP for Microsoft Exchange No

Systems UCP for Microsoft SQL Server No

Systems UCP for Oracle Database No

Systems UCP Pro for VMware vSphere Yes 080667

Systems UCP Select for Citrix XenDesktop No

Systems UCP Select for Microsoft Private Cloud No

Systems UCP Select for Oracle No

Systems UCP Select for SAP HANA Yes Scale-Out solutions use HNAS.



(Heartbleed)

Product Type Product Name Affected? Version More Information Please refer to HNAS product for resolution. 080654

Systems UCP Select for VMware View Yes VMware 5.5 See VMware.com; No for VMware 5.1

Systems UCP Select for VMware vSphere Yes VMware 5.5 See VMware.com; No for VMware 5.1

Systems Unified Storage (HUS) No

Systems Unified Storage File Module (HUS FM) Yes 11.1.3200.00 + 080654

Systems Unified Storage VM (HUS VM) Yes OSS V03 080650

Systems Universal Storage Platform V (USP V) No

Systems Universal Storage Platform VM (USP VM) No

Systems Hitachi Virtual Storage Platform G1000 (VSP G1000) Yes OSS V01 080650

Systems Virtual Storage Platform (VSP) Yes OSS V06 080650

Systems Workgroup Modular Storage WMS No

Other Hi-Track Remote Monitoring system No

Other Remote Access Control Center (RACC) No

Cust Letter Shellshock Hitachi

Documents

Transcript of Cust Letter Shellshock Hitachi