Through regular security vulnerability scanning processes, Instaclustr by NetApp has detected a security vulnerability affecting customer clusters on the Instaclustr Managed Platform: CVE-2024-32487. This vulnerability is related to Debian, which is a key component of our Managed Platform. As such,  Instaclustr will reach out to affected customers to organise patching soon.  

Impact Analysis: CVE-2024-32487 

Instaclustr performed an investigation into this vulnerability and its potential impact on customers of our Managed Platform and assessed its severity rating as 7.8 – High on the CVSS v3.1 scale. The findings are listed below:   

• The main risk of this vulnerability is OS command execution when the victim runs
  
  less

  1

  less

  
  on a file with attacker-controlled file name.
• Exploiting this vulnerability requires either that the victim download an attacker-named file or that the attacker have the ability to login to the node to modify or create files. 
• The risk of this vulnerability is reduced by Instaclustr’s access control mechanisms for customer clusters. For more detail refer to our Security policy. 

Mitigation Approaches  

Customers using the Instaclustr Managed Platform are advised to review the access permissions on their Instaclustr clusters to ensure access is restricted to the minimum permissions sets, IP addresses, and trusted clients. You can find information about how to manage users, access controls and firewalls on our support documentation portal. 

Instaclustr Response 

To ensure these fixes are delivered to all affected clusters on our Managed Platform, our Support team will immediately patch existing clusters..

• PCI-enabled clusters will be patched as a priority starting in mid-July 2024. Customers with PCI clusters will be notified soon to organize patching.  
• Non-PCI customers will have their clusters patched as part of our regular patching cycle in late July 2024. These customers will be contacted soon to organize patching. 
• As described in the impact analysis, Instaclustr’s built-in access control mechanisms reduce the likelihood of exploit. However, non-PCI customers who are concerned about this vulnerability affecting their existing clusters can opt-in to upgrade sooner than the regular patching cycle in late July 2024. Please contact [email protected] to opt-in for earlier patching.  
• For customers who do not opt–in for earlier patching, please be advised that our Support team will patch your existing cluster version as part of the scheduled OS patching cycle in late July 2024.