Dell Unity: OE 5.3.x False Positive Security Vulnerabilities (User Correctable)
Summary: This article provides a list of security vulnerabilities that cannot be exploited on Dell Unity OE 5.3.x, but may be identified by security scanners.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Security Article Type
Security KB
CVE Identifier
The CVE IDs are listed in the table below.
Issue Summary
This article provides a list of security vulnerabilities that cannot be exploited on Dell Unity 5.3.x, but may be identified by security scanners.
Recommendations
The vulnerabilities listed in the table below are in order by the date on which Unity Engineering determined that the Unity Operating Environment (OE) 5.3.x was not vulnerable.
|
Embedded Component |
CVE ID
|
Summary of Vulnerability
|
Reason why Product is not Vulnerable
|
Date Determined False Positive
|
|
External Library Oniguruma |
CVE-2019-13224 |
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust. |
The Oniguruma library is not deployed on the Unity array. Therefore the CVEs related to Oniguruma would not impact Unity 5.3. |
5/22/2024 |
|
External Library Oniguruma |
CVE-2019-16163 |
Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c. |
The Oniguruma library is not deployed on the Unity array. Therefore the CVEs related to Oniguruma would not impact Unity 5.3. |
5/22/2024 |
|
External Library Oniguruma |
CVE-2019-19012 |
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression. |
The Oniguruma library is not deployed on the Unity array. Therefore the CVEs related to Oniguruma would not impact Unity 5.3. |
5/22/2024 |
|
External Library Oniguruma |
CVE-2019-19203 |
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read. |
The Oniguruma library is not deployed on the Unity array. Therefore the CVEs related to Oniguruma would not impact Unity 5.3. |
5/22/2024 |
|
External Library Oniguruma |
CVE-2019-19204 |
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read. |
The Oniguruma library is not deployed on the Unity array. Therefore the CVEs related to Oniguruma would not impact Unity 5.3. |
5/22/2024 |
Additional Information
Found the CVEs mentioned in SUSE CVE page:
CVE-2019-13224:
https://www.suse.com/security/cve/CVE-2019-13224.html
CVE-2019-16163:
https://www.suse.com/security/cve/CVE-2019-16163.html
CVE-2019-19012:
https://www.suse.com/security/cve/CVE-2019-19012.html
CVE-2019-19203:
https://www.suse.com/security/cve/CVE-2019-19203.html
CVE-2019-19204:
https://www.suse.com/security/cve/CVE-2019-19204.html
SLES 15 SPx affected and fixed in patch except for CVE-2019-19012 where "Overall state of this security issue: Does not affect SUSE products." 5.3 use SLES 15
The Vulnerability that is listed in CVE was tested.
There is no Oniguruma library deployed on the Unity array. So the CVEs related to Oniguruma would not impact Unity 5.3.
In one case the scan report used is provided, although the IP is the same as the management IP of this case array, however the OS shown is RHEL, while Unity use SLES. Hence we can check mac address, so forth so on.
In the above particular case, The MAC address listed in the report is 52:54:00:60:7c:94:
While the Mac Address in the array is 08:00:1b:ff:1f:8e:
18: mgmt_vdev@mgmt: <BROADCAST,MULTICAST,UP,LOWER_UP> MTU 1500 qdisc noqueue state UP group default qlen 1000.
link/ether 08:00:1b:ff:1f:8e brd ff:ff:ff:ff:ff:ff
Inet 192.168.9.252/29 <<<<<
Configuration of physical port "mgmt_vdev":
Port Name: mgmt_vdev
MAC: 08:00:1b:ff:1f:8e <<<
And we do not have this MAC address 52:54:00:60:7c:94 on array (both SPA and SPB).
So the vulnerabilities seem to regard some other node. Hence it does not affect Unity.
Legal Disclaimer
Affected Products
Dell EMC UnityArticle Properties
Article Number: 000225310
Article Type: Security KB
Last Modified: 17 Oct 2025
Version: 2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.