Security KB
The CVE IDs are listed in the table below.
This article provides a list of security vulnerabilities that cannot be exploited on all versions of Dell EMC OpenManage Enterprise, but which may be identified by security scanners.
Third-party Component | CVE IDs | Summary of Vulnerability | Reason why Product is not Vulnerable | Date Determined False Positive |
Log4j-2.16 | CVE-2021-45105 | Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to potentially cause a denial of service when a crafted string is interpreted. | Dell EMC Open Manage Enterprise log configuration is not using the context lookups (for example, ${ctx:loginId}) in the Log4j pattern layout. | December 17, 2021 |
Log4j-2.16 | CVE-2021-44832 | Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file may potentially construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can run remote code. | Dell EMC Open Manage Enterprise team confirmed that JDBC Appender is being used, and it is not configured to use any protocol other than Java. |
December 29, 2021 |
Spring-mvc | CVE-2022-22965 | A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) using data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. | This vulnerability is not applicable to the Dell EMC Open Manage Enterprise due to the JDK usage, and deployment of the application are different from the prerequisites of the vulnerability. | April 8, 2022 |
Spring-Cloud | CVE-2022-22963 | In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. | Open Manage Enterprise is not using the Spring Cloud libraries. | April 8, 2022 |
Spring Framework | CVE-2022-22950 | In Spring Framework versions 5.3.0 - 5.3.16, 5.2.0 - 5.2.19, and earlier unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. | Open Manage Enterprise is not using SpEL and not aware of any other practical way to exploit this vulnerability. | April 8, 2022 |