Article Number: 000193697

DSA-2021-205: Dell EMC Streaming Data Platform Security Update for Multiple Vulnerabilities

Summary: Dell EMC Streaming Data Platform contains remediation for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Article Content

Impact

High

Details

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2021-36326	Dell EMC Streaming Data Platform, versions before 1.3 contain an SSL Strip Vulnerability in the User Interface (UI). A remote unauthenticated attacker may potentially exploit this vulnerability, leading to a downgrade in the communications between the client and server into an unencrypted format.	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVE-2021-36327	Dell EMC Streaming Data Platform versions before 1.3 contain a Server Side Request Forgery Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to perform port scanning of internal networks and make HTTP requests to an arbitrary domain of the attacker's choice.	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CVE-2021-36328	Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database.	8.8	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-36329	Dell EMC Streaming Data Platform versions before 1.3 contain an Indirect Object Reference Vulnerability. A remote malicious user may potentially exploit this vulnerability to gain sensitive information.	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2021-36330	Dell EMC Streaming Data Platform versions before 1.3 contain an Insufficient Session Expiration Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to reuse old session artifacts to impersonate a legitimate user.	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Third-Party Component	CVEs	More information
busybox	CVE-2018-1000500	See NVD (http://nvd.nist.gov/) for individual scores for each CVE
	CVE-2018-20679
	CVE-2019-5747
	CVE-2021-28831
@grpc/grpc-js	CVE-2020-7768
ajv	CVE-2020-15366
Apache Commons Compress	CVE-2019-12402
Apache CXF	CVE-2021-22696
Apache CXF	CVE-2021-30468
Apache Log4j	CVE-2017-5645
Apache Log4j	CVE-2019-17571
Apache Thrift	CVE-2019-0205
	CVE-2019-0210
	CVE-2020-13949
apk-tools	CVE-2021-30139
Bash	CVE-2019-18276
Bouncy Castle	CVE-2020-28052
Common Unix Printing System (CUPS)	CVE-2017-18190
curl	CVE-2016-8615
	CVE-2016-8617
	CVE-2016-8618
	CVE-2016-8619
	CVE-2016-8621
	CVE-2016-8622
	CVE-2016-8623
	CVE-2016-8624
	CVE-2016-8625
	CVE-2016-9586
	CVE-2017-1000254
	CVE-2018-16839
	CVE-2018-16840
	CVE-2018-16842
	CVE-2018-16890
	CVE-2019-3823
	CVE-2019-5436
	CVE-2019-5481
	CVE-2019-5482
	CVE-2020-8169
	CVE-2020-8177
curl	CVE-2020-8231
	CVE-2020-8285
	CVE-2020-8286
Cyrus SASL	CVE-2019-19906
Data Mapper for Jackson	CVE-2019-10172
D-Bus	CVE-2019-12749
giflib -- A library for processing GIFs	CVE-2020-23922
Git	CVE-2021-21300
GLib	CVE-2018-16429
	CVE-2019-12450
	CVE-2019-13012
	CVE-2019-14822
	CVE-2021-27218
	CVE-2021-27219
GNU Binutils	CVE-2021-20294
GNU C Library	CVE-2009-5155
	CVE-2015-8982
	CVE-2016-1234
	CVE-2019-9169
	CVE-2020-1751
	CVE-2020-1752
GNU C Library	CVE-2020-29573
	CVE-2020-6096
	CVE-2021-3326
GNU cpio	CVE-2019-14866
GnuPG	CVE-2018-1000858
GnuPG	CVE-2019-13050
GnuTLS	CVE-2020-24659
	CVE-2021-20231
	CVE-2021-20232
Grafana	CVE-2021-27962
Grafana	CVE-2021-28148
Jackson data formats: Binary	CVE-2020-28491
jackson-databind	CVE-2018-19360
	CVE-2018-19361
	CVE-2018-19362
	CVE-2019-12086
	CVE-2019-14379
	CVE-2019-14439
	CVE-2019-14540
	CVE-2019-14892
	CVE-2019-14893
	CVE-2019-16335
	CVE-2019-16942
	CVE-2019-16943
	CVE-2019-17267
	CVE-2019-17531
	CVE-2019-20330
	CVE-2020-10672
	CVE-2020-10673
	CVE-2020-10968
	CVE-2020-10969
	CVE-2020-11111
	CVE-2020-11112
	CVE-2020-11113
	CVE-2020-11619
	CVE-2020-11620
	CVE-2020-14060
	CVE-2020-14061
	CVE-2020-14062
	CVE-2020-14195
	CVE-2020-24616
	CVE-2020-24750
	CVE-2020-25649
	CVE-2020-35490
	CVE-2020-35491
	CVE-2020-35728
	CVE-2020-36179
	CVE-2020-36180
	CVE-2020-36181
	CVE-2020-36182
	CVE-2020-36183
	CVE-2020-36184
	CVE-2020-36185
	CVE-2020-36186
	CVE-2020-36187
	CVE-2020-36188
	CVE-2020-36189
	CVE-2020-8840
	CVE-2020-9546
	CVE-2020-9547
	CVE-2020-9548
	CVE-2021-20190
JBoss Remoting	CVE-2020-35510
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server	CVE-2017-7656
	CVE-2017-7657
	CVE-2017-7658
	CVE-2017-9735
	CVE-2018-12538
	CVE-2018-12545
	CVE-2020-27216
	CVE-2021-28165
json-bigint	CVE-2020-8237
krb5/krb5	CVE-2020-28196
Kubernetes Client API	CVE-2020-8570
libarchive	CVE-2017-14502
libexpat	CVE-2016-4472
	CVE-2016-5300
	CVE-2017-9233
	CVE-2018-20843
	CVE-2019-15903
libgcrypt	CVE-2021-33560
Open SSL	CVE-2021-3711
Open SSL	CVE-2021-3712

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2021-36326	Dell EMC Streaming Data Platform, versions before 1.3 contain an SSL Strip Vulnerability in the User Interface (UI). A remote unauthenticated attacker may potentially exploit this vulnerability, leading to a downgrade in the communications between the client and server into an unencrypted format.	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVE-2021-36327	Dell EMC Streaming Data Platform versions before 1.3 contain a Server Side Request Forgery Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to perform port scanning of internal networks and make HTTP requests to an arbitrary domain of the attacker's choice.	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CVE-2021-36328	Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database.	8.8	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-36329	Dell EMC Streaming Data Platform versions before 1.3 contain an Indirect Object Reference Vulnerability. A remote malicious user may potentially exploit this vulnerability to gain sensitive information.	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2021-36330	Dell EMC Streaming Data Platform versions before 1.3 contain an Insufficient Session Expiration Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to reuse old session artifacts to impersonate a legitimate user.	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Third-Party Component	CVEs	More information
busybox	CVE-2018-1000500	See NVD (http://nvd.nist.gov/) for individual scores for each CVE
	CVE-2018-20679
	CVE-2019-5747
	CVE-2021-28831
@grpc/grpc-js	CVE-2020-7768
ajv	CVE-2020-15366
Apache Commons Compress	CVE-2019-12402
Apache CXF	CVE-2021-22696
Apache CXF	CVE-2021-30468
Apache Log4j	CVE-2017-5645
Apache Log4j	CVE-2019-17571
Apache Thrift	CVE-2019-0205
	CVE-2019-0210
	CVE-2020-13949
apk-tools	CVE-2021-30139
Bash	CVE-2019-18276
Bouncy Castle	CVE-2020-28052
Common Unix Printing System (CUPS)	CVE-2017-18190
curl	CVE-2016-8615
	CVE-2016-8617
	CVE-2016-8618
	CVE-2016-8619
	CVE-2016-8621
	CVE-2016-8622
	CVE-2016-8623
	CVE-2016-8624
	CVE-2016-8625
	CVE-2016-9586
	CVE-2017-1000254
	CVE-2018-16839
	CVE-2018-16840
	CVE-2018-16842
	CVE-2018-16890
	CVE-2019-3823
	CVE-2019-5436
	CVE-2019-5481
	CVE-2019-5482
	CVE-2020-8169
	CVE-2020-8177
curl	CVE-2020-8231
	CVE-2020-8285
	CVE-2020-8286
Cyrus SASL	CVE-2019-19906
Data Mapper for Jackson	CVE-2019-10172
D-Bus	CVE-2019-12749
giflib -- A library for processing GIFs	CVE-2020-23922
Git	CVE-2021-21300
GLib	CVE-2018-16429
	CVE-2019-12450
	CVE-2019-13012
	CVE-2019-14822
	CVE-2021-27218
	CVE-2021-27219
GNU Binutils	CVE-2021-20294
GNU C Library	CVE-2009-5155
	CVE-2015-8982
	CVE-2016-1234
	CVE-2019-9169
	CVE-2020-1751
	CVE-2020-1752
GNU C Library	CVE-2020-29573
	CVE-2020-6096
	CVE-2021-3326
GNU cpio	CVE-2019-14866
GnuPG	CVE-2018-1000858
GnuPG	CVE-2019-13050
GnuTLS	CVE-2020-24659
	CVE-2021-20231
	CVE-2021-20232
Grafana	CVE-2021-27962
Grafana	CVE-2021-28148
Jackson data formats: Binary	CVE-2020-28491
jackson-databind	CVE-2018-19360
	CVE-2018-19361
	CVE-2018-19362
	CVE-2019-12086
	CVE-2019-14379
	CVE-2019-14439
	CVE-2019-14540
	CVE-2019-14892
	CVE-2019-14893
	CVE-2019-16335
	CVE-2019-16942
	CVE-2019-16943
	CVE-2019-17267
	CVE-2019-17531
	CVE-2019-20330
	CVE-2020-10672
	CVE-2020-10673
	CVE-2020-10968
	CVE-2020-10969
	CVE-2020-11111
	CVE-2020-11112
	CVE-2020-11113
	CVE-2020-11619
	CVE-2020-11620
	CVE-2020-14060
	CVE-2020-14061
	CVE-2020-14062
	CVE-2020-14195
	CVE-2020-24616
	CVE-2020-24750
	CVE-2020-25649
	CVE-2020-35490
	CVE-2020-35491
	CVE-2020-35728
	CVE-2020-36179
	CVE-2020-36180
	CVE-2020-36181
	CVE-2020-36182
	CVE-2020-36183
	CVE-2020-36184
	CVE-2020-36185
	CVE-2020-36186
	CVE-2020-36187
	CVE-2020-36188
	CVE-2020-36189
	CVE-2020-8840
	CVE-2020-9546
	CVE-2020-9547
	CVE-2020-9548
	CVE-2021-20190
JBoss Remoting	CVE-2020-35510
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server	CVE-2017-7656
	CVE-2017-7657
	CVE-2017-7658
	CVE-2017-9735
	CVE-2018-12538
	CVE-2018-12545
	CVE-2020-27216
	CVE-2021-28165
json-bigint	CVE-2020-8237
krb5/krb5	CVE-2020-28196
Kubernetes Client API	CVE-2020-8570
libarchive	CVE-2017-14502
libexpat	CVE-2016-4472
	CVE-2016-5300
	CVE-2017-9233
	CVE-2018-20843
	CVE-2019-15903
libgcrypt	CVE-2021-33560
Open SSL	CVE-2021-3711
Open SSL	CVE-2021-3712

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

Product	Affected Versions	Updated Version	Link to Update
Dell EMC Streaming Data Platform	1.1.x and 1.2.x	1.3	Link to update

Product	Affected Versions	Updated Version	Link to Update
Dell EMC Streaming Data Platform	1.1.x and 1.2.x	1.3	Link to update

Revision History

Revision	Date	Description
1.0	2021-11-19	Initial Release

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

DSA-2021-205: Dell EMC Streaming Data Platform Security Update for Multiple Vulnerabilities

Summary: Dell EMC Streaming Data Platform contains remediation for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Article Content

Impact

Details

Affected Products and Remediation

Revision History

Related Information

Legal Information

Article Properties

Affected Product

Product

Last Published Date

Version

Article Type

Welcome

Welcome to Dell

DSA-2021-205: Dell EMC Streaming Data Platform Security Update for Multiple Vulnerabilities

Summary: Dell EMC Streaming Data Platform contains remediation for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Article Content

Impact

Details

Affected Products and Remediation

Revision History

Related Information

Legal Information

Article Properties

Affected Product

Product

Last Published Date

Version

Article Type