**Lenovo Security Advisory:**LEN-56879
**Potential Impact:**Unauthorized modification, information disclosure
**Severity:**Medium
**Scope of Impact:**Industry-wide
**CVE Identifier:**CVE-2020-8578, CVE-2020-8581, CVE-2020-8588, CVE-2020-8589, CVE-2020-8590
Summary Description:
NetApp reported the following vulnerabilities in NetApp Clustered Data ONTAP.
CVE-2020-8578: NetApp Clustered Data ONTAP versions prior to 9.3P20 are susceptible to a vulnerability which could allow an attacker to discover node names via AutoSupport bundles even when the βremove-private-data parameter is set to true.
CVE-2020-8581: NetApp reported that NetApp Clustered Data ONTAP versions prior to 9.3P20 and 9.5 are susceptible to a vulnerability which could allow an authenticated but unauthorized attacker to overwrite arbitrary data when VMware vStorage support is enabled.
CVE-2020-8588: NetApp Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the existence of data on other Storage Virtual Machines (SVMs).
CVE-2020-8589: NetApp Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the names of other Storage Virtual Machines (SVMs) and filenames on those SVMs.
CVE-2020-8590: NetApp Clustered Data ONTAP versions prior to 9.1P18 and 9.3P12 are susceptible to a vulnerability which could allow an attacker to discover node names via AutoSupport bundles even when the βremove-private-data parameter is set to true.
Mitigation Strategy for Customers (what you should do to protect yourself):
NetApp recommends updating to the appropriate NetApp Clustered Data ONTAP version for your product as indicated in the Product Impact section below.