EMC Isilon Security Advisories (ESAs)

NOTE: This topic is part of the Uptime Information Hub.

 

EMC Security Advisories (ESAs): ESAs alert you to potential security vulnerabilities and their remedies for EMC products. The advisories include specific details about the issue and instructions to help prevent or alleviate the problem. Common Vulnerabilities and Exposures (CVEs) identify publicly known security concerns. An EMC ESA can address one or more CVEs. All Isilon ESAs, together with the CVEs that they address,are listed in the ESA Tables below.

 

Note: Some security vulnerabilities  are not considered to be critical enough to require an ESA. These are are  documented in security  articles in the Isilon Knowledge Base. A list of these security articles, together with the CVEs that they address, are listed in the Security Article Tables below.

 

False positives: Sometimes a security scan may incorrectly identify a CVE as affecting an EMC product. CVEs in this category are termed false positives. False positives for OneFS and Insight IQ are listed in the False Positives section below.

 

Subscribe to receive ESAs: You can subscribe to receive an email notification every time an ESA is published. See article 334017 for steps to subscribe, or watch the the following video.

 

Receive notification when this page is updated: If you would like to be notified when this page is updated, follow this page by clicking Follow in the upper-right area of this page.

 

For more information on what EMC is doing to enhance product security and respond to security vulnerabilities, see the EMC Product Security page.

 

 

ESA Tables

 

ESAs for OneFS

In the table below, the alert symbol in a column indicates that the OneFS family indicated in the column header is affected by this vulnerability. N/A in a column indicates that the OneFS family is not affected by this vulnerability. To determine which versions of OneFS contain a remediation for the issue, click  the ESA link to read the full details (requires login). The ESAs are updated each time a fix becomes available for an additional version.

        

Article numberESA title and CVEsIssuedOneFS 7.1.0OneFS 7.1.1OneFS 7.2.0OneFS 7.2.1OneFS 8.0.0OneFS 8.0.1
499519

NEW - ESA-2017-053: EMC Isilon OneFS Privilege Escalation Vulnerability

  

CVE-2017-4988

May 4, 2017
498111

ESA-2017-027: EMC Isilon OneFS NFS Export Upgrade Vulnerability

CVE-2017-4979

March 30, 2017N/AN/A
497466

ESA-2017-033: EMC Isilon OneFS Security Update for OpenSSL

CVE-2017-3731

March 16, 2017N/AN/AN/AN/A
497396

ESA-2017-028: EMC Isilon OneFS Path Traversal Vulnerability

CVE-2017-4980

March 15, 2017N/A
496316

ESA-2017-014: EMC Isilon OneFS Security Update for HTTPS (Sweet32)

CVE-2016-2183

February 22, 2017
495807

ESA-2017-012: EMC Isilon OneFS Security Update for Samba Vulnerability

CVE-2014-3560

February 14, 2017N/A
494608

ESA-2016-166: EMC Isilon OneFS Privilege Escalation Vulnerability

CVE-2016-9871

January 17, 2017N/AN/A
494140

ESA-2016-161: EMC Isilon OneFS LDAP Injection Vulnerability

CVE-2016-9870

January 6, 2017N/A
492082

ESA-2016-151: EMC Isilon Security Update for Multiple OpenSSL

CVE-2016-2182, CVE-2016-0702

November 16, 2016
484530

ESA-2016-060: EMC Isilon OneFS Privilege Escalation Vulnerability

CVE-2016-0908

June 3, 2016

 

N/AN/A
484146

ESA-2016-061: EMC Isilon OneFS SMB Signing Vulnerability

CVE-2016-0907

May 27, 2016N/A
476571

ESA-2016-007: EMC Isilon OneFS Security Update for OpenSSH

CVE-2015-6564

February 10, 2016N/AN/A
303167

ESA-2015-175: EMC Isilon OneFS Security Update for OpenSSH Vulnerabilities

CVE-2015-5600

December 16, 2015N/AN/A
303180

ESA-2015-148: EMC Isilon OneFS Security Privilege Escalation Vulnerability

CVE-2015-4545

December 16, 2015N/AN/A
303174

ESA-2015-181: EMC Isilon OneFS security update for multiple vulnerabilities in NTP

CVE-2015-1798, CVE-2015-1799

December 16, 2015N/AN/A
303183

ESA-2015-164: EMC Isilon OneFS Privilege Escalation Vulnerability

CVE-2015-6848

November 23, 2015N/AN/A
303181

ESA-2015-155: EMC Isilon OneFS Security Update for Multiple OpenSSL Vulnerabilities

CVE-2014-3570, CVE-2014-3572

October 01, 2015N/AN/A
303189

ESA-2015-154: EMC Isilon OneFS Security Update for Multiple NTP Vulnerabilities

CVE-2009-1252, CVE-2014-5209,
CVE-2014-9293, CVE-2014-9294,
CVE-2014-9295, CVE-2014-9296

September 22, 2015N/AN/A
303217

ESA-2015-112: EMC Isilon OneFS Command Injection Vulnerability

CVE-2015-4525

June 30, 2015N/AN/AN/A
303185

ESA-2015-114: EMC Isilon OneFS Security Update for Multiple Apache HTTP Server Vulnerabilities

CVE-2013-5704, CVE-2013-6438,
CVE-2014-0098, CVE-2014-0118,
CVE-2014-0226, CVE-2014-0231

June 29, 2015N/AN/A
303231

ESA-2015-093: EMC Isilon OneFS Apache HTTP Server Denial of Service Vulnerability

CVE-2007-6750

May 20, 2015N/AN/AN/A
303279

ESA-2015-049: EMC Isilon OneFS Privilege Escalation Vulnerability

CVE-2015-0528

March 17, 2015N/AN/AN/A
303268

ESA-2015-036: EMC Isilon OneFS Security Update for NTP Denial of Service Vulnerability

CVE-2013-5211

March 11, 2015N/AN/AN/AN/A
303265

ESA-2015-045: EMC Isilon OneFS Security Update for Multiple Vulnerabilities in OpenSSH

CVE-2008-3259, CVE-2008-5161,
CVE-2010-4478, CVE-2010-5107,
CVE-2012-0814

March 11, 2015N/AN/AN/AN/A
303280

ESA-2015-038: EMC Isilon OneFS ConnectEMC Security Update for Multiple Vulnerabilities in OpenSSL

CVE-2014-3505, CVE-2014-3506,
CVE-2014-3507, CVE-2014-3508,
CVE-2014-3509, CVE-2014-3510,
CVE-2014-3511, CVE-2014-3512,
CVE-2014-5139

March 11, 2015N/AN/AN/A
303284

ESA-2015-039: EMC Isilon OneFS Security Update for Multiple Vulnerabilities in OpenSSL

CVE-2013-2566, CVE 2014-3567,
CVE-2014-3568

March 11, 2015N/AN/AN/A
303270

ESA-2015-034: EMC Isilon OneFS Security Update for MD5 Message-Digest Algorithm Vulnerability

CVE-2004-2761

March 9, 2015N/AN/AN/AN/A
303288

ESA-2015-015: EMC Isilon OneFS SSLv3 POODLE Vulnerability

CVE-2014-3566

January 27, 2015N/AN/AN/A
303321

ESA-2014-169: EMC Isilon OneFS Security Update for Multiple Embedded Components

CVE-2014-0224, CVE-2014-0221,
CVE-2014-0195, CVE-2014-3470,
CVE-2014-0076, CVE-2011-3368,
CVE-2011-3607, CVE-2011-4317,
CVE-2012-0021, CVE-2012-0031,
CVE-2012-0053, CVE-2012-0883,
CVE-2012-2687, CVE-2012-3499,
CVE-2012-4557, CVE-2012-4558,
CVE-2013-1862, CVE-2013-1896

December 29, 2014N/AN/AN/AN/A
303226

ESA-2014-146: EMC Isilon OneFS Security Update for Multiple Vulnerabilities in GNU Bash

CVE-2014-6271, CVE-2014-7169,
CVE-2014-6277, CVE-2014-6278,
CVE-2014-7186, CVE-2014-7186

October 11, 2014N/AN/AN/A
303377

ESA-2014-088: EMC Isilon OneFS Security Update for OpenSSL Heartbleed Vulnerability

CVE-2014-0160

September 4, 2014N/AN/AN/AN/AN/A

 

ESAs for IsilonSD Edge Management Server

To determine which versions of the IsilonSD Management Server are affected by the issue, or contain a remediation for the issue, click  the article link to read the full details (requires login).

Article
number

ESA title and CVEsIssued
491985

ESA-2016-145: EMC IsilonSD Edge Security Update for Linux Vulnerability ("Dirty COW")

CVE-2016-5195

November 15, 2016

 

ESAs for InsightIQ

To determine which versions of InsightIQ are affected by the issue, or contain a remediation for the issue, click  the article link to read the full details (requires login).

Article numberESA title and CVEsIssued
494607

ESA-2017-001: EMC Isilon InsightIQ Authentication Bypass Vulnerability

CVE-2017-2765

January 17, 2017
491982

ESA-2016-144: EMC Isilon InsightIQ Security Update for Linux Vulnerability ("Dirty COW")

CVE-2016-5195

November 15, 2016
478573

ESA-2016-024: EMC Isilon InsightIQ Security Update for GNU C Library getaddrinfo () Buffer Overflow Vulnerability

CVE-2015-7547

March 4, 2016
303213

ESA-2015-128: EMC Isilon InsightIQ Security Update for Multiple OpenSSL Vulnerabilities

CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204

July 27, 2015
303263

ESA-2015-064: EMC Isilon InsightIQ Security Update for Multiple OpenSSH Vulnerabilities

CVE-2008-3259, CVE-2008-5161, CVE-2010-4478, CVE-2010-5107,
CVE-2012-0814

March 30, 2015
303273

ESA-2015-065: EMC Isilon InsightIQ SSLv3 POODLE Vulnerability

CVE-2014-3566

March 30, 2015
303281

ESA-2015-060: EMC Isilon InsightIQ Security Update for GNU C Library “GHOST” Vulnerability

CVE-2015-0235

March 26, 2015
303276

ESA-2015-058: EMC Isilon InsightIQ Security Update for OpenSSL Vulnerabilities

CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-3470

March 26, 2015
303325

ESA-2014-164: EMC Isilon InsightIQ Cross-Site Scripting Vulnerability

CVE-2014-4628

December 9, 2014
303278

ESA-2014-138: EMC Isilon InsightIQ Security Update for Multiple Vulnerabilities in GNU Bash ShellShock

CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187,
CVE-2014-6277, CVE-2014-6278

October 8, 2014

 

ESAs for Isilon for vCenter

To determine which versions of Isilon for vCenter are affected by the issue, or contain a remediation for the issue, click  the article link to read the full details (requires login).

Article numberESA Title and CVEsIssued
303298

ESA-2015-022: EMC Isilon for vCenter Security Update for GNU C Library "GHOST" Vulnerability

CVE-2015-0235

February 25, 2015
303320

ESA-2014-144: EMC Isilon for vCenter Security Update for Multiple Vulnerabilities in GNU Bash

CVE-2014-6271, CVE-2014-7169,   CVE-2014-6277, CVE-2014-6278,
CVE-2014-7186, CVE-2014-7187

January 16, 2015

 

 

Security Article Tables

 

OneFS Security Articles

In the  table below, the alert symbol in a column indicates that the OneFS family indicated in the column header is affected by this vulnerability. N/A in a column indicates that the OneFS family is not affected by this vulnerability. To determine which versions of OneFS contain a remediation for the issue, click  the article link to read the full details (requires login). The articles will be updated when fixes are available for additional versions.

Article numberArticle Title and CVEsIssuedOneFS 7.1.0OneFS 7.1.1OneFS 7.2.0OneFS 7.2.1OneFS 8.0.0OneFS 8.0.1
495440

EMC Isilon OneFS Security Vulnerability for NTP (CVE-2016-7434)

CVE-2016-7434

February 13, 2017
491163

EMC Isilon OneFS Security Vulnerability for HTTPS (Sweet32)

CVE-2016-2183

January 10, 2017
487908

EMC Isilon OneFS Security Vulnerability for Apache (CVE-2015-3183)

CVE-2015-3183

August 22, 2016N/AN/A
301751

Isilon OneFS: The OneFS Representational State Transfer (REST) web service is vulnerable to the Slowloris attack

CVE-2007-6750

September 3, 2015N/AN/A
301739

EMC Isilon OneFS Security Vulnerability for Apache ("Bar Mitzvah" attack)

CVE-2015-2808

August 6, 2015N/AN/AN/AN/A
301746

EMC Isilon OneFS Security Vulnerability for TLS protocol version 1.2 and earlier ("Logjam" attack)

CVE-2015-4000

August 6, 2015N/AN/A
479386

EMC Isilon OneFS is Not Vulnerable to the Badlock Vulnerability

CVE-2016-2118, CVE-2016-0128

April 21, 2016N/AN/AN/AN/AN/AN/A
301800

EMC Isilon OneFS SNMP Default Community Name Vulnerability

CVE-1999-0516, CVE-1999-0517, CVE-1999-0254, CVE-2002-0109, CVE-2004-1474

March 2, 2015N/A

N/A

N/AN/A
301797

EMC Isilon OneFS Security Vulnerabilities for Apache

CVE-2004-2320, CVE-2010-0386, CVE-2003-1567
February 20, 2015N/AN/AN/AN/A
301801

EMC Isilon OneFS and InsightIQ Security Vulnerabilities for OpenSSL Browser Exploit Against SSL/TLS Attack (BEAST)

CVE-2011-3389

January 29, 2015N/AN/AN/A
301824

EMC Isilon OneFS Security Vulnerability: Non-required accounts are enabled

No CVE.

January 16, 2015

 

InsightIQ Security Articles

To determine which versions of InsightIQ are affected by the issue, or contain a remediation for the issue, click  the article link to read the full details (requires login).

Article numberArticle Title and CVEsIssued
301788

EMC Isilon InsightIQ Multiple Security Vulnerabilities for OpenSSL

CVE-2015-4000, CVE-2015-2808, CVE-2013-2566

August 6, 2015
301801

EMC Isilon OneFS and InsightIQ Security Vulnerabilities for OpenSSL Browser Exploit Against SSL/TLS Attack (BEAST)

CVE-2011-3389

January 29, 2015

 

 

False Positives

The Isilon security team has determined that the following CVEs  do not affect any versions of OneFS or InsightIQ. For details, see EMC Isilon OneFS and InsightIQ False Positive Security Vulnerabilities (login required).

 

OneFS False Positives - Updated May 3, 2017

CVE-1999-0017, CVE-2010-1634, CVE-2010-2089, CVE-2010-3492, CVE-2010-3493, CVE-2011-1521, CVE-2011-4940,
CVE-2011-4944, CVE-2012-0845, CVE-2012-1150, CVE-2012-6150, CVE-2013-0172, CVE-2013-0213, CVE-2013-0214,
CVE-2013-1863, CVE-2013-4124, CVE-2013-4238, CVE-2013-4408, CVE-2013-4476, CVE-2013-4496, CVE-2013-6442,
CVE-2013-7040, CVE-2014-0244, CVE-2014-1912, CVE-2014-2532, CVE-2014-3493, CVE-2014-7185, CVE-2014-8143,
CVE-2014-8275, CVE-2014-8730, CVE-2015-0204, CVE-2015-0228, CVE-2015-1793, CVE-2015-3193, CVE-2015-3194,
CVE-2015-3195, CVE-2015-3196, CVE-2015-3197, CVE-2015-3197, CVE-2015-3223, CVE-2015-5252, CVE-2015-5296,
CVE-2015-5299, CVE-2015-5330, CVE-2015-5352, CVE-2015-5370, CVE-2015-7540, CVE-2015-7560, CVE-2015-8467,
CVE-2016-0705, CVE-2016-0771, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-0800, CVE-2016-2105,
CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112,
CVE-2016-2113, CVE-2016-2114, CVE-2016-2115, CVE-2016-2118, CVE-2016-2119, CVE-2016-2176, CVE-2016-2178,
CVE-2016-2179, CVE-2016-2181, CVE-2016-3115, CVE-2016-6303, CVE-2016-6304, CVE-2016-7053, CVE-2016-7054,
CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-8704, CVE-2016-8705, CVE-2016-8706, CVE-2016-8743,
CVE-2016-9311, CVE-2016-9312

 

 

InsightIQ False Positives

CVE-2015-3197, CVE-2016-0728