NetApp’s Response to Customers regarding the SolarWinds Threat

A widely impacting software supply chain cybersecurity attack was recently uncovered where a vendor with products deployed at corporations and government agencies across the globe was compromised, resulting in multiple breaches. The Cybersecurity and Infrastructure Security Agency (CISA) has identified SolarWinds Orion as one of the initial access vectors. NetApp continues to monitor the situation as it develops.

The security of both NetApp's and our customers' data is a top priority. We can confirm that NetApp products do not ship the affected SolarWinds Orion software or any components specific to SolarWinds. NetApp customers running SolarWinds Orion should review the recommendations in SolarWinds' Security Advisory and FAQ. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security Agency (CISA) Supply Chain Compromise website for new information as it develops. In addition, at this time there is no known impact to NetApp’s products, services or operations.

NetApp's Response

Upon notice of the SolarWinds Orion Platform software compromise, the NetApp Security team initiated investigations in accordance with our incident response processes. NetApp followed the guidance issued to all SolarWinds customers in addition to following our internal processes for investigation, forensics analysis, and threat mitigation. NetApp will continue to remain vigilant regarding all aspects of this challenging and evolving situation.

NetApp plans to provide updates on our investigation and answers to common questions on this webpage. It should be considered the single source of current, up-to-date, authorized, and accurate information from NetApp.

Frequently Asked Questions (Updated January 6, 2021):

1. Are NetApp products affected by the SolarWinds Orion vulnerability?

No. NetApp products do not ship the affected SolarWinds Orion software or any components specific to SolarWinds.

2. Does NetApp utilize SolarWinds Orion software for internal use?

Yes. NetApp utilizes SolarWinds Orion for a limited number of internal environments.

3. Does NetApp use SolarWinds Orion software versions identified as impacted?

NetApp identified affected versions of the SolarWinds Orion software in our internal environment and applied mitigations in accordance with SolarWinds-provided guidance which is available in their Security Advisory and FAQ.

4. What remediation actions have been taken or are planned?

All affected versions of SolarWinds software have been remediated based upon the recommended actions provided by the vendor and CISA. NetApp security systems have been updated to detect and block known attack vectors. NetApp will continue to monitor for new mitigations or recommended remediation steps. We are continuing to track recommended mitigations and have completed the steps required to ensure NetApp is up to date with current guidance at this time.

5. Has any customer data handled by NetApp been exposed as a result of this issue?

At this time there is no evidence to suggest that customer data was exposed or exfiltrated due to the use of this software. NetApp continues to monitor for impact and maintains its incident response processes and teams to ensure timely notification if the situation changes.

6. What is the impact to NetApp’s business?

At this time there is no known impact to NetApp’s products, services or operations.

7. How does NetApp protect its environment from potentially affected software?

Generally, NetApp does not disclose the details of its Cyber Security program. In response to this effort however NetApp has followed the recommendations from SolarWinds and CISA. These actions also include but are not limited to: affected host isolation or shutdown, host remediation efforts, and increased monitoring for known attack vectors. Our security team and partners are working 24x7 to protect NetApp.

8. How does NetApp secure its products?

NetApp follows secure development principles throughout our product development lifecycle. We expand and improve on our secure-development programs on a continuing basis. As a part of our standard procedures, we implement secure design principles, developer training, and extensive testing programs.

9. Have NetApp’s suppliers and vendors been impacted by the SolarWinds Orion compromise?

NetApp is engaging with our supply chain to determine if any suppliers or vendors were impacted by this compromise. NetApp has not been made aware of any supplier or vendor issues related to the SolarWinds Orion compromise at this time.

For questions not covered in the FAQ, send the question(s) to ng-solarwindsinquiry@netapp.com for follow-up.

For media inquiries, please contact xdl-uspr@netapp.com.