DSA-2019-074: Dell EMC OpenManage Server Administrator Multiple Vulnerabilities-DSA

Summary: Dell EMC Open Manage Server Administrator has been updated to address multiple vulnerabilities which may be potentially exploited to compromise the system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Impact

Critical

Details

  • XML External Entity (XXE) Injection Vulnerability (CVE-2019-3722)
Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain an XML external entity (XXE) injection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to read arbitrary server system files by supplying specially crafted document type definitions (DTDs) in an XML request.
           
             CVSSv3 Base Score 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
  • Web Parameter Tampering Vulnerability (CVE-2019-3723)
Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain a web parameter tampering vulnerability. A remote unauthenticated attacker could potentially manipulate parameters of web requests to OMSA to create arbitrary files with empty content or delete the contents of any existing file, due to improper input parameter validation.
           
             CVSSv3 Base Score 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
  • XML External Entity (XXE) Injection Vulnerability (CVE-2019-3722)
Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain an XML external entity (XXE) injection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to read arbitrary server system files by supplying specially crafted document type definitions (DTDs) in an XML request.
           
             CVSSv3 Base Score 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
  • Web Parameter Tampering Vulnerability (CVE-2019-3723)
Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain a web parameter tampering vulnerability. A remote unauthenticated attacker could potentially manipulate parameters of web requests to OMSA to create arbitrary files with empty content or delete the contents of any existing file, due to improper input parameter validation.
           
             CVSSv3 Base Score 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

Affected products:
  • Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3
  • Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.2.0.4 
Remediation:      
The following Dell EMC OpenManage Server Administrator releases contain resolutions to these vulnerabilities:
  • Dell EMC OpenManage Server Administrator 9.1.0.3 and later
  • Dell EMC OpenManage Server Administrator 9.2.0.4 and later
  • Dell EMC OpenManage Server Administrator 9.3.0 and later
Dell EMC recommends all customers upgrade at the earliest opportunity.  

Customers can download OpenManage Server Administrator for PowerEdge servers. For all other platforms, please select the platform from the Dell support site.
Affected products:
  • Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3
  • Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.2.0.4 
Remediation:      
The following Dell EMC OpenManage Server Administrator releases contain resolutions to these vulnerabilities:
  • Dell EMC OpenManage Server Administrator 9.1.0.3 and later
  • Dell EMC OpenManage Server Administrator 9.2.0.4 and later
  • Dell EMC OpenManage Server Administrator 9.3.0 and later
Dell EMC recommends all customers upgrade at the earliest opportunity.  

Customers can download OpenManage Server Administrator for PowerEdge servers. For all other platforms, please select the platform from the Dell support site.

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Disclaimer

Affected Products

Dell OpenManage Server Administrator Version 8.4, Dell OpenManage Server Administrator Version 8.5, Dell OpenManage Server Administrator Version 9.0.1, Dell OpenManage Server Administrator Version 9.0.2 , Dell OpenManage Server Administrator Version 9.1, Dell OpenManage Server Administrator Version 8.3, Dell OpenManage Server Administrator Version 6.5 A02, Dell OpenManage Server Administrator Version 7.0, Dell OpenManage Server Administrator Version 7.1, Dell OpenManage Server Administrator Version 7.2, Dell OpenManage Server Administrator Version 7.3, Dell OpenManage Server Administrator Version 7.4, Dell OpenManage Server Administrator Version 8.0.1, Dell OpenManage Server Administrator Version 8.0.2, Dell OpenManage Server Administrator Version 8.1, Dell OpenManage Server Administrator Version 8.2, Dell OpenManage Server Administrator Version 9.1.1, Dell OpenManage Server Administrator Version 9.1.2, Dell OpenManage Server Administrator Version 9.2, Product Security Information ...
Article Properties
Article Number: 000180635
Article Type: Dell Security Advisory
Last Modified: 19 Sep 2025
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.