Article Number: 000211365
DSA-2023-110: Dell Technologies PowerProtect DD Security Update for Multiple Vulnerabilities
Summary: Dell Technologies PowerProtect DD remediation is available for various security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Article Content
Impact
Critical
Details
| Third-Party Component | CVE(s) | More information |
|---|---|---|
| Zlib | CVE-2022-37434, CVE-2018-25032 | https://nvd.nist.gov/vuln/detail/CVE-2022-37434 , https://nvd.nist.gov/vuln/detail/cve-2018-25032 |
| Apache Tomcat | CVE-2022-29885, CVE-2022-34305 | https://nvd.nist.gov/vuln/detail/CVE-2022-29885, https://nvd.nist.gov/vuln/detail/CVE-2022-34305 |
| Expat | CVE-2022-40674, CVE-2022-25235, CVE-2022-25236, CVE-2022-25315, CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852 |
https://access.redhat.com/errata/RHSA-2022:6834, https://access.redhat.com/errata/RHSA-2022:1069 |
| mozilla-nspr | CVE-2021-43527 | https://nvd.nist.gov/vuln/detail/CVE-2021-43527 |
| Grub2 | CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734, CVE-2022-28736 | https://www.suse.com/support/update/announcement/2022/suse-su-20222038-1/ |
| Dell IDRAC9 | CVE-2022-44640 | DSA-2023-162 |
Affected Products and Remediation
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|---|
| CVE-2022-29885, CVE-2022-34305, CVE-2022-40674, CVE-2022-25235, CVE-2022-25236, CVE-2022-25315, CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852 |
PowerProtect DD DDOS and DDMC |
7.0 to 7.10 | 7.11.0.0 and above or 7.7.5.11 and above to stay on LTS2022 7.7 or 7.10.1.1 and above to stay on LTS2023 7.10 |
For more details about DDOS versions available for download, see the links below (requires log in to Dell Support to view articles): https://www.dell.com/support/kbdoc/334649 https://www.dell.com/support/kbdoc/525902 |
| 6.2.1.90 and below | Available in next release | |||
| PowerProtect DP Series Appliance (IDPA) | 2.7.3 and below | Available in next release | ||
| PowerProtect Data Manager Appliance model: DM5500 | 5.12 and below | 5.13 and above | ||
| CVE-2022-37434, CVE-2018-25032, CVE-2021-43527, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734, CVE-2022-28736 |
PowerProtect DD SmartScale |
7.8 to 7.10 | 7.11.0.0 and above or 7.10.1.1 and above to stay on LTS2023 7.10 |
|
| CVE-2021-43527 | PowerProtect DD DDOS and DDMC |
7.0 to 7.11 | Next release after 7.11.0.0 and above or 7.7.5.11 and above to stay on LTS2022 7.7 or 7.10.1.1 and above to stay on LTS2023 7.10 |
|
| 6.2.1.90 and below | Available in next release | |||
| PowerProtect DP Series Appliance (IDPA) | 2.7.3 and below | Available in next release | ||
| PowerProtect Data Manager Appliance model: DM5500 | 5.13 and below | Available in next release | ||
| CVE-2022-44640 | PowerProtect DD Appliance model: DD3300, DD6400, DD6900, DD9400, and DD9900 | 7.0 to 7.10 | 7.11.0.0 and above or 7.7.5.1 and above to stay on LTS2022 7.7 or 7.10.1.0 and above to stay on LTS2023 7.10 |
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|---|
| CVE-2022-29885, CVE-2022-34305, CVE-2022-40674, CVE-2022-25235, CVE-2022-25236, CVE-2022-25315, CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852 |
PowerProtect DD DDOS and DDMC |
7.0 to 7.10 | 7.11.0.0 and above or 7.7.5.11 and above to stay on LTS2022 7.7 or 7.10.1.1 and above to stay on LTS2023 7.10 |
For more details about DDOS versions available for download, see the links below (requires log in to Dell Support to view articles): https://www.dell.com/support/kbdoc/334649 https://www.dell.com/support/kbdoc/525902 |
| 6.2.1.90 and below | Available in next release | |||
| PowerProtect DP Series Appliance (IDPA) | 2.7.3 and below | Available in next release | ||
| PowerProtect Data Manager Appliance model: DM5500 | 5.12 and below | 5.13 and above | ||
| CVE-2022-37434, CVE-2018-25032, CVE-2021-43527, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734, CVE-2022-28736 |
PowerProtect DD SmartScale |
7.8 to 7.10 | 7.11.0.0 and above or 7.10.1.1 and above to stay on LTS2023 7.10 |
|
| CVE-2021-43527 | PowerProtect DD DDOS and DDMC |
7.0 to 7.11 | Next release after 7.11.0.0 and above or 7.7.5.11 and above to stay on LTS2022 7.7 or 7.10.1.1 and above to stay on LTS2023 7.10 |
|
| 6.2.1.90 and below | Available in next release | |||
| PowerProtect DP Series Appliance (IDPA) | 2.7.3 and below | Available in next release | ||
| PowerProtect Data Manager Appliance model: DM5500 | 5.13 and below | Available in next release | ||
| CVE-2022-44640 | PowerProtect DD Appliance model: DD3300, DD6400, DD6900, DD9400, and DD9900 | 7.0 to 7.10 | 7.11.0.0 and above or 7.7.5.1 and above to stay on LTS2022 7.7 or 7.10.1.0 and above to stay on LTS2023 7.10 |
Workarounds and Mitigations
To minimize exposure of these vulnerabilities in PowerProtect DD and PowerProtect DP Series Appliance (IDPA), limit HTTPS and SSH access to Data Domain system in Administration section of GUI. Additionally, host access can be configured using the net filter CLI. Please refer to the DD OS Administration Guide and Command Reference Guide for details. PowerProtect and Data Domain core documents can be found here.
Revision History
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2023-03-21 | Initial Release |
| 1.1 | 2023-03-23 | Updated "Affected Product" under "Article Properties" |
| 1.2 | 2023-03-27 | Updated the "Updated Versions" |
| 1.3 | 2023-03-28 | Updated Product Table - Added Integrated DataProtect Appliance model: DP4400 |
| 1.4 | 2023-03-29 | Updated CVE-2022-22852 to Correct CVE CVE-2022-23852 |
| 1.5 | 2023-04-28 | Updated Affected Products and Remediation Table - Updated versions for PowerProtect DD DDOS and DDMC, Updated Versions for PowerProtect DD SmartScale, Changed Integrated DataProtect Appliance Model: DP4400 to PowerProtect DP Series Appliance (IDPA), Added PowerProtect Data Manager Appliance model: DM5500, Added CVE-2021-43527 and Products Added Work Around and Mitigation |
| 1.6 | 2023-05-08 | Updated Affected Products and Remediation table the Updated versions for LTS 7.7 and 7.10 |
| 1.7 | 2023-0614 | Updated Affected Products and Remediation table replaced Next 7.7 after 7.7.5.1 to stay on LTS2022 7.7 with 7.7.5.11 and above to stay on LTS2022 7.7 for PowerProtect DD DDOS and DDMC |
| 1.8 | 2023-07-05 | Updated Affected Products and Remediation Table replaced Next 7.10 after 7.10.1.0 to stay on LTS2023 7.10 with 7.10.1.1 and above to stay on LTS2023 7.10 |
| 1.9 | 2023-07-11 | Added Affected Products and Remediation for CVE-2022-44640. |
| 1.10 | 2023-08-02 | Updated Affected Products under Article Properties |
Related Information
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
Legal Information
Article Properties
Affected Product
PowerProtect Data Protection Appliance, PowerProtect Data Manager Appliance, Data Domain, DD3300 Appliance, PowerProtect DP4400, DD OS 7.0, DD6400 Appliance, DD6900 Appliance, DD9400 Appliance, DD9900 Appliance, PowerProtect DP5300
, PowerProtect DP5800, PowerProtect DP8300, PowerProtect DP8800, PowerProtect Data Manager, PowerProtect Data Domain Management Center, PowerProtect Data Protection Software, PowerProtect Data Protection Hardware, PowerProtect DD6400, PowerProtect Data Manager Software, PowerProtect DM5500, PowerProtect DP5900, PowerProtect DP8400, PowerProtect DP8900, PowerProtect Storage Direct, PowerProtect X400 Appliance, PowerProtect Software, Product Security Information
...
Last Published Date
02 Aug. 2023
Version
15
Article Type
Dell Security Advisory