CVE-2019-3722 and CVE-2019-3723
: See Details section below of individual CVSS Scores for each CVE
- Dell EMC OpenManage Server Administrator (OMSA) versions prior to 184.108.40.206
- Dell EMC OpenManage Server Administrator (OMSA) versions prior to 220.127.116.11
Dell EMC OpenManage System Administrator has been updated to address multiple security vulnerabilities which may potentially be exploited to compromise the system.
- XML External Entity (XXE) Injection Vulnerability (CVE-2019-3722)
Dell EMC OpenManage Server Administrator (OMSA) versions prior to 18.104.22.168 and prior to 22.214.171.124 contain an XML external entity (XXE) injection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to read arbitrary server system files by supplying specially crafted document type definitions (DTDs) in an XML request.
CVSSv3 Base Score 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
- Web Parameter Tampering Vulnerability (CVE-2019-3723)
Dell EMC OpenManage Server Administrator (OMSA) versions prior to 126.96.36.199 and prior to 188.8.131.52 contain a web parameter tampering vulnerability. A remote unauthenticated attacker could potentially manipulate parameters of web requests to OMSA to create arbitrary files with empty content or delete the contents of any existing file, due to improper input parameter validation.
CVSSv3 Base Score 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
The following Dell EMC OpenManage Server Administrator releases contain resolutions to these vulnerabilities:
- Dell EMC OpenManage Server Administrator 184.108.40.206 and later
- Dell EMC OpenManage Server Administrator 220.127.116.11 and later
- Dell EMC OpenManage Server Administrator 9.3.0 and later
Dell EMC recommends all customers upgrade at the earliest opportunity.
Link to remedies
Customers can download OpenManage Server Administrator for PowerEdge servers
. For all other platforms, please select the platform from the Dell support site.
Dell recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
Quick Tips content is self-published by the Dell Support Professionals who resolve issues daily. In order to achieve a speedy publication, Quick Tips may represent only partial solutions or work-arounds that are still in development or pending further proof of successfully resolving an issue. As such Quick Tips have not been reviewed, validated or approved by Dell and should be used with appropriate caution. Dell shall not be liable for any loss, including but not limited to loss of data, loss of profit or loss of revenue, which customers may incur by following any procedure or advice set out in the Quick Tips.