Dell EMC OpenManage Enterprise False Positive Security Vulnerabilities
Summary: This article provides a list of security vulnerabilities that cannot be exploited on all versions of Dell EMC OpenManage Enterprise, but which may be identified by security scanners.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Security Article Type
Security KB
CVE Identifier
The CVE IDs are listed in the table below.
Issue Summary
This article provides a list of security vulnerabilities that cannot be exploited on all versions of Dell EMC OpenManage Enterprise, but which may be identified by security scanners.
Recommendations
The vulnerabilities that are listed in the table below are in order by the date on which Dell EMC OpenManage Enterprise Engineering determined that all versions of Dell EMC OpenManage Enterprise were not vulnerable.
| Third-party Component | CVE IDs | Summary of Vulnerability | Reason why Product is not Vulnerable | Date Determined False Positive |
| Log4j-2.16 | CVE-2021-45105 | Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to potentially cause a denial of service when a crafted string is interpreted. | Dell EMC Open Manage Enterprise log configuration is not using the context lookups (for example, ${ctx:loginId}) in the Log4j pattern layout. | December 17, 2021 |
| Log4j-2.16 | CVE-2021-44832 | Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file may potentially construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can run remote code. | Dell EMC Open Manage Enterprise team confirmed that JDBC Appender is being used, and it is not configured to use any protocol other than Java. |
December 29, 2021 |
| Spring-mvc | CVE-2022-22965 | A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) using data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. | This vulnerability is not applicable to the Dell EMC Open Manage Enterprise due to the JDK usage, and deployment of the application are different from the prerequisites of the vulnerability. | April 8, 2022 |
| Spring-Cloud | CVE-2022-22963 | In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. | Open Manage Enterprise is not using the Spring Cloud libraries. | April 8, 2022 |
| Spring Framework | CVE-2022-22950 | In Spring Framework versions 5.3.0 - 5.3.16, 5.2.0 - 5.2.19, and earlier unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. | Open Manage Enterprise is not using SpEL and not aware of any other practical way to exploit this vulnerability. | April 8, 2022 |
Legal Disclaimer
Affected Products
Dell OpenManage Enterprise, Dell EMC OpenManage Enterprise, Product Security InformationArticle Properties
Article Number: 000194933
Article Type: Security KB
Last Modified: 12 Apr 2022
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.