Dell EMC OpenManage Enterprise False Positive Security Vulnerabilities
Zusammenfassung: This article provides a list of security vulnerabilities that cannot be exploited on all versions of Dell EMC OpenManage Enterprise, but which may be identified by security scanners.
Dieser Artikel gilt für
Dieser Artikel gilt nicht für
Dieser Artikel ist nicht an ein bestimmtes Produkt gebunden.
In diesem Artikel werden nicht alle Produktversionen aufgeführt.
Sicherheitsartikeltyp
Security KB
CVE-Kennung
The CVE IDs are listed in the table below.
Problemzusammenfassung
This article provides a list of security vulnerabilities that cannot be exploited on all versions of Dell EMC OpenManage Enterprise, but which may be identified by security scanners.
Empfehlungen
The vulnerabilities that are listed in the table below are in order by the date on which Dell EMC OpenManage Enterprise Engineering determined that all versions of Dell EMC OpenManage Enterprise were not vulnerable.
| Third-party Component | CVE IDs | Summary of Vulnerability | Reason why Product is not Vulnerable | Date Determined False Positive |
| Log4j-2.16 | CVE-2021-45105 | Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to potentially cause a denial of service when a crafted string is interpreted. | Dell EMC Open Manage Enterprise log configuration is not using the context lookups (for example, ${ctx:loginId}) in the Log4j pattern layout. | December 17, 2021 |
| Log4j-2.16 | CVE-2021-44832 | Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file may potentially construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can run remote code. | Dell EMC Open Manage Enterprise team confirmed that JDBC Appender is being used, and it is not configured to use any protocol other than Java.
|
December 29, 2021 |
| Spring-mvc | CVE-2022-22965 | A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) using data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. | This vulnerability is not applicable to the Dell EMC Open Manage Enterprise due to the JDK usage, and deployment of the application are different from the prerequisites of the vulnerability. | April 8, 2022 |
| Spring-Cloud | CVE-2022-22963 | In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. | Open Manage Enterprise is not using the Spring Cloud libraries. | April 8, 2022 |
| Spring Framework | CVE-2022-22950 | In Spring Framework versions 5.3.0 - 5.3.16, 5.2.0 - 5.2.19, and earlier unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. | Open Manage Enterprise is not using SpEL and not aware of any other practical way to exploit this vulnerability. | April 8, 2022 |
Rechtlicher Hinweis
Betroffene Produkte
Dell OpenManage Enterprise, Dell EMC OpenManage Enterprise, Product Security InformationArtikeleigenschaften
Artikelnummer: 000194933
Artikeltyp: Security KB
Zuletzt geändert: 12 Mai 2026
Version: 4
Antworten auf Ihre Fragen erhalten Sie von anderen Dell NutzerInnen
Support Services
Prüfen Sie, ob Ihr Gerät durch Support Services abgedeckt ist.