DSA-2025-097: Security Update for Dell ObjectScale 4.0 Multiple Vulnerabilities
Summary: Dell ObjectScale remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
Critical
Additional Details
As of release 4.x the ECS product name has been rebranded as ObjectScale (OBS). This Security Advisory communicates vulnerabilities affecting the 3.8.1.4 release and its prior versions. Those are remediated in the series now referred to as ObjectScale (OBS).
Details
|
Third-party Component |
CVEs |
More Information |
|
Apache Commons Configuration |
CVE-2024-29133, CVE-2024-29131 |
|
|
Bouncy Castle |
CVE-2023-33202, CVE-2024-34447, CVE-2024-30171, CVE-2024-30172, CVE-2024-29857, CVE-2023-33201 |
|
|
crypto/tls |
CVE-2023-45287 |
|
|
Docker |
CVE-2020-8694, CVE-2020-8695, CVE-2024-24557 |
|
|
eclipse jetty |
CVE-2024-22201, CVE-2023-44487, CVE-2021-28169, CVE-2021-34428, CVE-2021-34429, CVE-2022-2047, CVE-2022-2048, CVE-2023-26048, CVE-2023-26049, CVE-2023-36478, CVE-2023-36479, CVE-2023-40167, CVE-2023-41900 |
|
|
Expat |
CVE-2024-28757, CVE-2022-40674, CVE-2022-43680, CVE-2023-52425 |
|
|
github.com/crewjam/saml |
CVE-2022-41912, CVE-2023-28119, CVE-2023-45683 |
|
|
go.uuid |
CVE-2021-3538 |
|
|
Golang |
CVE-2022-23806, CVE-2022-41716, CVE-2021-3115, CVE-2020-28367, CVE-2020-28366 |
|
|
golang.org/x/net |
CVE-2023-44487 |
|
|
Html |
CVE-2023-3978 |
|
|
Goxmldsig |
CVE-2020-7711 |
|
|
go-yaml |
CVE-2022-28948 |
|
|
h2database |
CVE-2021-23463, CVE-2021-42392, CVE-2022-23221, CVE-2022-45868 |
|
|
Idna |
CVE-2024-3651 |
|
|
jackson-databind |
CVE-2020-36518, CVE-2022-42003, CVE-2022-42004, CVE-2021-46877, CVE-2023-35116 |
|
|
Jersey |
CVE-2021-28168 |
|
|
jose.v2 |
CVE-2024-28180 |
|
|
libseccomp2 |
CVE-2019-9893 |
|
|
logback receiver |
CVE-2023-6378 |
|
|
math/big |
CVE-2020-28362 |
|
|
net/http2 |
CVE-2023-45288, CVE-2023-39325, CVE-2022-27664, CVE-2022-41717, CVE-2022-41723 |
|
|
Netty Project |
CVE-2024-29025, CVE-2022-24823, CVE-2022-41881, CVE-2023-34462 |
|
|
Nginx |
CVE-2023-44487 |
|
|
Openssh |
CVE-2023-48795 |
|
|
Openssl |
CVE-2024-0727, CVE-2020-36242, CVE-2023-49083 |
|
|
PostgreSQL JDBC Driver (pgjdbc) |
CVE-2022-31197, CVE-2022-41946, CVE-2024-1597 |
|
|
Protobuf |
CVE-2024-24786 |
|
|
Pyopenssl |
CVE-2018-1000808, CVE-2018-1000807 |
|
|
Pytest |
CVE-2020-29651 |
|
|
python/requests |
CVE-2018-18074, CVE-2024-35195 |
|
|
python311-base |
CVE-2024-4032 |
|
|
python3-urllib3 |
CVE-2023-46218, CVE-2024-37891 |
|
|
Setuptools |
CVE-2022-40897 |
|
|
snappy-java |
CVE-2023-34453, CVE-2023-34454, CVE-2023-34455, CVE-2023-43642 |
|
|
spring-expression |
CVE-2024-38808 |
|
|
Zookeeper |
CVE-2024-23944, CVE-2023-44981 |
|
Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
|
CVE-2025-26477 |
Dell ECS version 3.8.1.4 and prior contain an Improper Input Validation vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution. |
4.3 |
|
|
CVE-2025-26478 |
Dell ECS version 3.8.1.4 and prior contain an Improper Certificate Validation vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure. |
3.1 |
|
Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
|
CVE-2025-26477 |
Dell ECS version 3.8.1.4 and prior contain an Improper Input Validation vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution. |
4.3 |
|
|
CVE-2025-26478 |
Dell ECS version 3.8.1.4 and prior contain an Improper Certificate Validation vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure. |
3.1 |
Affected Products & Remediation
|
Product |
Affected Versions |
Remediated Version |
Link |
|
Dell ObjectScale |
Versions prior to 4.0 |
Version 4.0 or later |
|
Product |
Affected Versions |
Remediated Version |
Link |
|
Dell ObjectScale |
Versions prior to 4.0 |
Version 4.0 or later |
Dell recommends all customers have their ObjectScale systems upgraded at the earliest opportunity by opening an “Operating Environment Upgrade” Service Request. Customers on ECS 3.8.1.x and ECS 3.8.0.x can upgrade directly to OBS 4.0. Customers on versions prior to ECS 3.8.x need to upgrade to ECS 3.8.x first before upgrading to OBS 4.0.
Note: Please visit the Security Update Release Schedule for Supported Versions of ObjectScale (formerly ECS) for more information.
Revision History
|
Revision |
Date |
Description |
|
1.0 |
2024-03-26 |
Initial Release |
|
2.0 |
2024-04-16 |
Revised Wording |
Related Information
Legal Disclaimer
Affected Products
ECS Appliance Hardware Gen3 EX5000, ECS Appliance Hardware Gen3 EX300, ECS Appliance Hardware Gen3 EX3000, ECS Appliance Hardware Gen2 U-Series, ECS Appliance Hardware Gen3 EX500, ECS Appliance Hardware Gen3 EXF900, ECS Appliance Hardware SeriesArticle Properties
Article Number: 000300068
Article Type: Dell Security Advisory
Last Modified: 16 Apr 2025
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.