NVP vProxy: Security Vulnerability Detected on the NetWorker vProxy Appliance Version 4.3.0-46

Summary: A security vulnerability was detected on the NetWorker vProxy appliance version 4.3.0-46.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

The following CVEs were recently discovered as part of the security scan using Rapid 7:

  • CVE-2023-3159

A use after free issue was discovered in driver/firewire in outbound_phy_packet_callback in the Linux Kernel. In this flaw, a local attacker with special privilege may cause a use after free problem when queue_event() fails.

  • CVE-2023-2002

A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.

  • CVE-2023-35001

Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace.

Cause

These issues are raised to NetWorker engineering.

Resolution

The security vulnerabilities described in the CVEs are already addressed in vProxy 4.3.0-49. Update the vProxy to 4.3.0-49 or newer.

vProxy OVAs are available for download through the Dell Support NetWorker Product Page.

See the following Dell articles for upgrade information:

Additional Information

DSA-2023-072: Security Update for Dell NetWorker vProxy Linux kernel vulnerabilities
Article Properties
Article Number: 000217071
Article Type: Solution
Last Modified: 28 Feb 2024
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.