Dell NetWorker Version 19.12 False Positive Security Vulnerabilities

RabbitMQ 0.13.0

CVE-2023-35789

An issue was discovered in the C AMQP client library (aka rabbitmq-c) through 0.13.0 for RabbitMQ. Credentials can only be entered on the command line (e.g., for amqp-publish or amqp-consume) and are thus visible to local attackers by listing a process and its arguments.

CVE-2023-35789 is a medium issue that has been discovered in the rabbitmq-c library through 0.13.0 for RabbitMQ. This issue is related to the command line utilities (amqp-publish or amqp-consume) which accepts credentials on the command and can be visible to local attackers by listing a process and its arguments. NetWorker is not impacted by this issue, as these utilities are not generated when rabbitmq-c is built for NetWorker and not shipped as part of NetWorker packages.

2025-02-24

zlib 1.2.11

CVE-2022-37434

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader

DDboost client does not use the function inflateGetHeader identified as having the vulnerability.

2025-02-24

zlib 1.2.11

CVE-2018-25032

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

DDboost client does not use GZ compression type

2025-02-24

OpenSSL 1.0.2zg

CVE-2023-0464

A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.

DDBoost library doesn’t use the OpenSSL API: X509_VERIFY_PARAM_set1_policies() to enable the processing and processing is disabled by default. Also, DDBoost doesn’t provide any way via command line utility or environment variable to modify this policy setting

2025-02-24

OpenSSL 1.0.2zg

CVE-2023-0465

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.

DDBoost library doesn’t use the OpenSSL API: X509_VERIFY_PARAM_set1_policies() to enable the processing and processing is disabled by default. Also, DDBoost doesn’t provide anyway via command line utility or environment variable to modify this policy setting

2025-02-24

OpenSSL 1.0.2zg

CVE-2023-0466

The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.

DDBoost library doesn’t use the OpenSSL API: X509_VERIFY_PARAM_set1_policies() to enable the processing and processing is disabled by default. It also doesn’t use X509_VERIFY_PARAM_add0_policy() and X509_VERIFY_PARAM_set_flags() API

Also, DDBoost doesn’t provide any way via command line utility or environment variable to call this API

2025-02-24

Curl 8.7.1

CVE-2024-6197 

libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.

Curl uses different TLS protocols for secure communication of HTTPS connections. This CVE vulnerable only when curl is built to use GnuTLS, wolfSSL, Schannel, Secure Transport or mbedTLS. In NetWorker, curl is built with OpenSSL which provides TLS implementation. Also the function utf8asn1str is not used by the current version of curl library loaded  by NetWorker.

2025-02-24

Curl 8.7.1

CVE-2024-7264

libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.

This CVE vulnerable only when curl is built to use GnuTLS, wolfSSL, Schannel, Secure Transport or mbedTLS. In NetWorker, curl is built with OpenSSL which provides TLS implementation. Also the function utf8asn1str is not used by the current version of curl library loaded by NetWorker. 

2025-02-24