EMC Isilon Security Advisories (ESAs)

NOTE: This topic is part of the Uptime Information Hub.

 

EMC Security Advisories (ESAs): ESAs alert you to potential security vulnerabilities and their remedies for EMC products. The advisories include specific details about the issue and instructions to help prevent or alleviate the problem. Common Vulnerabilities and Exposures (CVEs) identify publicly known security concerns. An EMC ESA can address one or more CVEs. All Isilon ESAs, together with the CVEs that they address,are listed in the ESA Tables below.

 

Note: Some security vulnerabilities  are not considered to be critical enough to require an ESA. These are are  documented in security  articles in the Isilon Knowledge Base. A list of these security articles, together with the CVEs that they address, are listed in the Security Article Tables below.

 

False positives: Sometimes a security scan may incorrectly identify a CVE as affecting an EMC product. CVEs in this category are termed false positives. False positives for OneFS and Insight IQ are listed in the False Positives section below.

 

Subscribe to receive ESAs: You can subscribe to receive an email notification every time an ESA is published. See article 334017 for steps to subscribe, or watch the the following video.

 

Receive notification when this page is updated: If you would like to be notified when this page is updated, follow this page by clicking Follow in the upper-right area of this page.

 

For more information on what EMC is doing to enhance product security and respond to security vulnerabilities, see the EMC Product Security page.

 

 

ESA Tables

 

ESAs for OneFS

In the table below, the alert symbol in a column indicates that the OneFS family indicated in the column header is affected by this vulnerability. N/A in a column indicates that the OneFS family is not affected by this vulnerability. To determine which versions of OneFS contain a remediation for the issue, click  the ESA link to read the full details (requires login). The ESAs are updated each time a fix becomes available for an additional version.

 

Article numberESA title and CVEsIssuedOneFS 7.1.0OneFS 7.1.1OneFS 7.2.0OneFS 7.2.1OneFS 8.0.0OneFS 8.0.1
500685

NEW - ESA-2017-067: EMC Isilon OneFS TCP Security Vulnerability

CVE-2004-0230

2017-06-19
499519

ESA-2017-053: EMC Isilon OneFS Privilege Escalation Vulnerability

CVE-2017-4988

2017-05-04
498111

ESA-2017-027: EMC Isilon OneFS NFS Export Upgrade Vulnerability

CVE-2017-4979

2017-03-30N/AN/A
497466

ESA-2017-033: EMC Isilon OneFS Security Update for OpenSSL

CVE-2017-3731

2017-03-16N/AN/AN/AN/A
497396

ESA-2017-028: EMC Isilon OneFS Path Traversal Vulnerability

CVE-2017-4980

2017-03-15N/A
496316

ESA-2017-014: EMC Isilon OneFS Security Update for HTTPS (Sweet32)

CVE-2016-2183

2017-02-22
495807

ESA-2017-012: EMC Isilon OneFS Security Update for Samba Vulnerability

CVE-2014-3560

2017-02-14N/A
494608

ESA-2016-166: EMC Isilon OneFS Privilege Escalation Vulnerability

CVE-2016-9871

2017-01-17N/AN/A
494140

ESA-2016-161: EMC Isilon OneFS LDAP Injection Vulnerability

CVE-2016-9870

2017-01-06N/A
492082

ESA-2016-151: EMC Isilon Security Update for Multiple OpenSSL

CVE-2016-2182, CVE-2016-0702

2016-11-16
484530

ESA-2016-060: EMC Isilon OneFS Privilege Escalation Vulnerability

CVE-2016-0908

2016-06-03

 

N/AN/A
484146

ESA-2016-061: EMC Isilon OneFS SMB Signing Vulnerability

CVE-2016-0907

2016-05-27N/A
476571

ESA-2016-007: EMC Isilon OneFS Security Update for OpenSSH

CVE-2015-6564

2016-02-10N/AN/A
303167

ESA-2015-175: EMC Isilon OneFS Security Update for OpenSSH Vulnerabilities

CVE-2015-5600

2015-12-16N/AN/A
303180

ESA-2015-148: EMC Isilon OneFS Security Privilege Escalation Vulnerability

CVE-2015-4545

2015-12-16N/AN/A
303174

ESA-2015-181: EMC Isilon OneFS security update for multiple vulnerabilities in NTP

CVE-2015-1798, CVE-2015-1799

2015-12-16N/AN/A
303183

ESA-2015-164: EMC Isilon OneFS Privilege Escalation Vulnerability

CVE-2015-6848

2015-11-23N/AN/A
303181

ESA-2015-155: EMC Isilon OneFS Security Update for Multiple OpenSSL Vulnerabilities

CVE-2014-3570, CVE-2014-3572

2015-10-01N/AN/A
303189

ESA-2015-154: EMC Isilon OneFS Security Update for Multiple NTP Vulnerabilities

CVE-2009-1252, CVE-2014-5209,
CVE-2014-9293, CVE-2014-9294,
CVE-2014-9295, CVE-2014-9296

2015-09-22N/AN/A
303217

ESA-2015-112: EMC Isilon OneFS Command Injection Vulnerability

CVE-2015-4525

2015-06-30N/AN/AN/A
303185

ESA-2015-114: EMC Isilon OneFS Security Update for Multiple Apache HTTP Server Vulnerabilities

CVE-2013-5704, CVE-2013-6438,
CVE-2014-0098, CVE-2014-0118,
CVE-2014-0226, CVE-2014-0231

2015-06-29N/AN/A
303231

ESA-2015-093: EMC Isilon OneFS Apache HTTP Server Denial of Service Vulnerability

CVE-2007-6750

2015-05-20N/AN/AN/A
303279

ESA-2015-049: EMC Isilon OneFS Privilege Escalation Vulnerability

CVE-2015-0528

2015-03-17N/AN/AN/A
303268

ESA-2015-036: EMC Isilon OneFS Security Update for NTP Denial of Service Vulnerability

CVE-2013-5211

2015-03-11N/AN/AN/AN/A
303265

ESA-2015-045: EMC Isilon OneFS Security Update for Multiple Vulnerabilities in OpenSSH

CVE-2008-3259, CVE-2008-5161,
CVE-2010-4478, CVE-2010-5107,
CVE-2012-0814

2015-03-11N/AN/AN/AN/A
303280

ESA-2015-038: EMC Isilon OneFS ConnectEMC Security Update for Multiple Vulnerabilities in OpenSSL

CVE-2014-3505, CVE-2014-3506,
CVE-2014-3507, CVE-2014-3508,
CVE-2014-3509, CVE-2014-3510,
CVE-2014-3511, CVE-2014-3512,
CVE-2014-5139

2015-03-11N/AN/AN/A
303284

ESA-2015-039: EMC Isilon OneFS Security Update for Multiple Vulnerabilities in OpenSSL

CVE-2013-2566, CVE 2014-3567,
CVE-2014-3568

2015-03-11N/AN/AN/A
303270

ESA-2015-034: EMC Isilon OneFS Security Update for MD5 Message-Digest Algorithm Vulnerability

CVE-2004-2761

2015-03-09N/AN/AN/AN/A
303288

ESA-2015-015: EMC Isilon OneFS SSLv3 POODLE Vulnerability

CVE-2014-3566

2015-01-27N/AN/AN/A
303321

ESA-2014-169: EMC Isilon OneFS Security Update for Multiple Embedded Components

CVE-2014-0224, CVE-2014-0221,
CVE-2014-0195, CVE-2014-3470,
CVE-2014-0076, CVE-2011-3368,
CVE-2011-3607, CVE-2011-4317,
CVE-2012-0021, CVE-2012-0031,
CVE-2012-0053, CVE-2012-0883,
CVE-2012-2687, CVE-2012-3499,
CVE-2012-4557, CVE-2012-4558,
CVE-2013-1862, CVE-2013-1896

2014-12-29N/AN/AN/AN/A
303226

ESA-2014-146: EMC Isilon OneFS Security Update for Multiple Vulnerabilities in GNU Bash

CVE-2014-6271, CVE-2014-7169,
CVE-2014-6277, CVE-2014-6278,
CVE-2014-7186, CVE-2014-7186

2014-10-11N/AN/AN/A
303377

ESA-2014-088: EMC Isilon OneFS Security Update for OpenSSL Heartbleed Vulnerability

CVE-2014-0160

2014-09-04N/AN/AN/AN/AN/A

 

ESAs for IsilonSD Edge Management Server

To determine which versions of the IsilonSD Management Server are affected by the issue, or contain a remediation for the issue, click  the article link to read the full details (requires login).

Article
number

ESA title and CVEsIssued
491985

ESA-2016-145: EMC IsilonSD Edge Security Update for Linux Vulnerability ("Dirty COW")

CVE-2016-5195

2016-11-15

 

ESAs for InsightIQ

To determine which versions of InsightIQ are affected by the issue, or contain a remediation for the issue, click  the article link to read the full details (requires login).

Article numberESA title and CVEsIssued
494607

ESA-2017-001: EMC Isilon InsightIQ Authentication Bypass Vulnerability

CVE-2017-2765

2017-01-17
491982

ESA-2016-144: EMC Isilon InsightIQ Security Update for Linux Vulnerability ("Dirty COW")

CVE-2016-5195

2016-11-15
478573

ESA-2016-024: EMC Isilon InsightIQ Security Update for GNU C Library getaddrinfo () Buffer Overflow Vulnerability

CVE-2015-7547

2016-03-04
303213

ESA-2015-128: EMC Isilon InsightIQ Security Update for Multiple OpenSSL Vulnerabilities

CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204

2015-07-27
303263

ESA-2015-064: EMC Isilon InsightIQ Security Update for Multiple OpenSSH Vulnerabilities

CVE-2008-3259, CVE-2008-5161, CVE-2010-4478, CVE-2010-5107,
CVE-2012-0814

2015-03-30
303273

ESA-2015-065: EMC Isilon InsightIQ SSLv3 POODLE Vulnerability

CVE-2014-3566

2015-03-30
303281

ESA-2015-060: EMC Isilon InsightIQ Security Update for GNU C Library “GHOST” Vulnerability

CVE-2015-0235

2015-03-26
303276

ESA-2015-058: EMC Isilon InsightIQ Security Update for OpenSSL Vulnerabilities

CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-3470

2015-03-26
303325

ESA-2014-164: EMC Isilon InsightIQ Cross-Site Scripting Vulnerability

CVE-2014-4628

2014-12-09
303278

ESA-2014-138: EMC Isilon InsightIQ Security Update for Multiple Vulnerabilities in GNU Bash ShellShock

CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187,
CVE-2014-6277, CVE-2014-6278

2014-10-08

 

ESAs for Isilon for vCenter

To determine which versions of Isilon for vCenter are affected by the issue, or contain a remediation for the issue, click  the article link to read the full details (requires login).

Article numberESA Title and CVEsIssued
303298

ESA-2015-022: EMC Isilon for vCenter Security Update for GNU C Library "GHOST" Vulnerability

CVE-2015-0235

2015-02-25
303320

ESA-2014-144: EMC Isilon for vCenter Security Update for Multiple Vulnerabilities in GNU Bash

CVE-2014-6271, CVE-2014-7169,   CVE-2014-6277, CVE-2014-6278,
CVE-2014-7186, CVE-2014-7187

2015-01-16

 

 

Security Article Tables

 

OneFS Security Articles

In the  table below, the alert symbol in a column indicates that the OneFS family indicated in the column header is affected by this vulnerability. N/A in a column indicates that the OneFS family is not affected by this vulnerability. To determine which versions of OneFS contain a remediation for the issue, click  the article link to read the full details (requires login). The articles will be updated when fixes are available for additional versions.

Article numberArticle Title and CVEsIssuedOneFS 7.1.0OneFS 7.1.1OneFS 7.2.0OneFS 7.2.1OneFS 8.0.0OneFS 8.0.1
495440

EMC Isilon OneFS Security Vulnerability for NTP (CVE-2016-7434)

CVE-2016-7434

2017-02-13
491163

EMC Isilon OneFS Security Vulnerability for HTTPS (Sweet32)

CVE-2016-2183

2017-01-10
487908

EMC Isilon OneFS Security Vulnerability for Apache (CVE-2015-3183)

CVE-2015-3183

2016-08-22N/AN/A
301751

Isilon OneFS: The OneFS Representational State Transfer (REST) web service is vulnerable to the Slowloris attack

CVE-2007-6750

2015-09-03N/AN/A
301739

EMC Isilon OneFS Security Vulnerability for Apache ("Bar Mitzvah" attack)

CVE-2015-2808

2015-08-06N/AN/AN/AN/A
301746

EMC Isilon OneFS Security Vulnerability for TLS protocol version 1.2 and earlier ("Logjam" attack)

CVE-2015-4000

2015-08-06N/AN/A
479386

EMC Isilon OneFS is Not Vulnerable to the Badlock Vulnerability

CVE-2016-2118, CVE-2016-0128

2016-04-21N/AN/AN/AN/AN/AN/A
301800

EMC Isilon OneFS SNMP Default Community Name Vulnerability

CVE-1999-0516, CVE-1999-0517, CVE-1999-0254, CVE-2002-0109, CVE-2004-1474

2015-03-02N/A

N/A

N/AN/A
301797

EMC Isilon OneFS Security Vulnerabilities for Apache

CVE-2004-2320, CVE-2010-0386, CVE-2003-1567
2015-02-20N/AN/AN/AN/A
301801

EMC Isilon OneFS and InsightIQ Security Vulnerabilities for OpenSSL Browser Exploit Against SSL/TLS Attack (BEAST)

CVE-2011-3389

2015-01-29N/AN/AN/A
301824

EMC Isilon OneFS Security Vulnerability: Non-required accounts are enabled

No CVE.

2015-01-16

 

InsightIQ Security Articles

To determine which versions of InsightIQ are affected by the issue, or contain a remediation for the issue, click  the article link to read the full details (requires login).

Article numberArticle Title and CVEsIssued
301788

EMC Isilon InsightIQ Multiple Security Vulnerabilities for OpenSSL

CVE-2015-4000, CVE-2015-2808, CVE-2013-2566

2015-08-06
301801

EMC Isilon OneFS and InsightIQ Security Vulnerabilities for OpenSSL Browser Exploit Against SSL/TLS Attack (BEAST)

CVE-2011-3389

2015-01-29

 

 

False Positives

The Isilon security team has determined that the following CVEs  do not affect any versions of OneFS or InsightIQ. For details, see EMC Isilon OneFS and InsightIQ False Positive Security Vulnerabilities (login required).

 

OneFS False Positives - Updated August 11, 2017

CVE-1999-0017, CVE-2004-0230, CVE-2010-1634, CVE-2010-2089, CVE-2010-3492, CVE-2010-3493, CVE-2011-1521,

CVE-2011-4940, CVE-2011-4944, CVE-2012-0845, CVE-2012-1150, CVE-2012-6150, CVE-2013-0172, CVE-2013-0213,

CVE-2013-0214, CVE-2013-1863, CVE-2013-4124, CVE-2013-4238, CVE-2013-4408, CVE-2013-4476, CVE-2013-4496,

CVE-2013-6442, CVE-2013-7040, CVE-2014-0244, CVE-2014-1912, CVE-2014-2532, CVE-2014-3493, CVE-2014-7185,

CVE-2014-8143, CVE-2014-8275, CVE-2014-8730, CVE-2015-0204, CVE-2015-0228, CVE-2015-1793, CVE-2015-3193,

CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-3197, CVE-2015-3197, CVE-2015-3223, CVE-2015-5252,

CVE-2015-5296, CVE-2015-5299, CVE-2015-5330, CVE-2015-5352, CVE-2015-5370, CVE-2015-7540, CVE-2015-7560,

CVE-2015-8467, CVE-2016-0705, CVE-2016-0771, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-0800,

CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2110, CVE-2016-2111,

CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, CVE-2016-2115, CVE-2016-2118, CVE-2016-2119, CVE-2016-2176,

CVE-2016-2178, CVE-2016-2179, CVE-2016-2181, CVE-2016-3115, CVE-2016-6303, CVE-2016-6304, CVE-2016-7053,

CVE-2016-7054, CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-8704, CVE-2016-8705, CVE-2016-8706,

CVE-2016-8743, CVE-2016-9311, CVE-2016-9312, CVE-2017-5689, CVE-2017-7494, CVE-2017-9788

 

InsightIQ False Positives

CVE-2015-3197, CVE-2016-0728