Storage analysts say that while any vulnerability can be significant, they are far from uncommon and NeoScale appears to have fixed the problem in a timely manner. "The CERT warning talks about a fix," says Diane McAdam of The Clipper Group. "It sounds like a problem NeoScale addressed."
So why put out an advisory after the problem has been fixed? CERT does not publish vulnerabilities until they are fixed because it doesn't want to publicize security holes. And now that there is a fix, customers need to know about it.
"The way I'm reading this, CERT is saying, 'You better check what version you're running,' " McAdam says. "This is a way of alerting people, if you've got this unit, check your version number."
Analyst Greg Schulz of StorageIO agrees, saying vendors and customers share responsibility for staying current on security upgrades.
"Regardless of who your vendor is, you need to stay up to date with software, firmware, anti-virus definitions, whether we're talking abut encryption, storage, operating systems, or whatever," he says.