iSM: False positive vulnerabilities identified with Python engine bundled with iSM 5.4.0

Some third-party security scanners may identify iDRAC Service Module (iSM) 5.4.0 as vulnerable to certain Common Vulnerabilities and Exposures (CVE) security issues as part of the Python engine that iSM bundles. These scanners look for the presence of certain Python library files of specific versions even if that library's Application Programming Interface (API) is not actually used by iSM or loaded into memory for code execution to expose the vulnerability.

The following CVEs may be identified as false positive vulnerabilities:
 

CVE ID	CVSSv3 Score
CVE-2018-5996	7.8
BDSA-2021-4620	7.8
CVE-2015-8812	9.8
CVE-2022-37454	9.8
CVE-2019-12900	9.8
CVE-2022-42919	7.8
BDSA-2024-5078	7.7
CVE-2015-20107	7.6
CVE-2024-6232	7.5
CVE-2023-24329	7.5
CVE-2020-10735	7.5
CVE-2024-7592	7.5
CVE-2023-36632	7.5
CVE-2022-45061	7.5
CVE-2018-25032	7.5
CVE-2021-28861	7.4
CVE-2022-26488	7
CVE-2021-43527	9.8
CVE-2017-12814	9.8
CVE-2022-2309	7.5
BDSA-2024-4448	7.9
BDSA-2024-4448	7.9
BDSA-2024-4448	7.9
CVE-2022-40898	7.5
CVE-2022-40898	7.5
CVE-2019-13351	8.1

Dell Engineering has investigated each of these CVE vulnerabilities with Python and has determined that iSM is not actually vulnerable to these.

These false positive warnings can be safely ignored. Dell Engineering does plan to update the Python engine in a future iSM release to avoid these false positive warnings.