Article Number: 000223556
DSA-2024-132: Security Update for Dell Power Protect Data Manager for Multiple Security Vulnerabilities
Summary: Dell Power Protect Data Manager remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Article Content
Impact
Critical
Details
| Third-party Component | CVEs | More Information |
|---|---|---|
| dom4j: flexible XML framework for Java 2.1.3 | CVE-2023-45960 | CVE-2023-45960  |
| Netty Project 4.1.100 | CVE-2023-4586 | CVE-2023-4586 |
| RabbitMQ amqp-client5.14.3 | CVE-2023-46120 | CVE-2023-46120 |
| Apache Tomcat 9.0.82 | CVE-2023-46589 | CVE-2023-46589 |
| Elasticsearch 7.17.13 | CVE-2023-46673 | CVE-2023-46673 |
| HTTP functionality for the Reactor Netty library 1.0.38 | CVE-2023-34062 | CVE-2023-34062 |
| larvalabs collections 4.01 | CVE-2015-7501 | CVE-2015-7501 |
| reactor-netty 1.0.38 | CVE-2023-34062 | CVE-2023-34062 |
| ibcurl 8.4 | CVE-2023-38545, CVE-2023-23914, CVE-2023-27533, CVE-2023-27534, CVE-2023-28319, CVE-2023-38039, CVE-2023-23915, CVE-2023-23916, CVE-2023-27535, CVE-2023-28320, CVE-2023-28321, CVE-2023-27536, CVE-2023-27538, CVE-2023-38546, CVE-2023-28322 | CVE-2023-38545, CVE-2023-23914, CVE-2023-27533, CVE-2023-27534, CVE-2023-28319, CVE-2023-38039, CVE-2023-23915, CVE-2023-23916, CVE-2023-27535, CVE-2023-28320, CVE-2023-28321, CVE-2023-27536, CVE-2023-27538, CVE-2023-38546, CVE-2023-28322 |
| Jetty - 9.4.53.20231009 | CVE-2023-36479, CVE-2023-41900, CVE-2023-26049, CVE-2023-40167, CVE-2023-26048, CVE-2023-44487, CVE-2023-36478 | CVE-2023-36479, CVE-2023-41900, CVE-2023-26049, CVE-2023-40167, CVE-2023-26048, CVE-2023-44487, CVE-2023-36478 |
| Netty Project 4.1.86 | CVE-2023-44487, CVE-2023-4586, CVE-2023-34462 | CVE-2023-44487,CVE-2023-4586, CVE-2023-34462 |
| google-guava 21.0 | CVE-2023-2976, CVE-2018-10237, CVE-2020-8908 | CVE-2023-2976, CVE-2018-10237, CVE-2020-8908 |
| Logback 1.2.3 | CVE-2023-6378 | CVE-2023-6378 |
| Apache Tomcat 9.0.70 | CVE-2023-42794, CVE-2023-44487, CVE-2023-41080, CVE-2023-42795, CVE-2023-42795, CVE-2023-45648, CVE-2023-28708 | CVE-2023-42794, CVE-2023-44487, CVE-2023-41080, CVE-2023-42795, CVE-2023-45648, CVE-2023-28708 |
| Golang 1.20.12 | CVE-2023-45285, CVE-2023-45283, CVE-2023-48795, CVE-2023-45284, CVE-2023-39326 | CVE-2023-45285, CVE-2023-45283, CVE-2023-48795, CVE-2023-45284, CVE-2023-39326 |
| golang.org/x/crypto v0.14.0 | CVE-2023-48795 | CVE-2023-48795 |
| linux-pam 1.3.0-150000.6.61.1 | CVE-2024-22365 | CVE-2024-22365 |
| ncurses-utils 5.9-81.1 | CVE-2023-50495 | CVE-2023-50495 |
| google.golang.org/grpc 1.45.0 | CVE-2023-44487 | CVE-2023-44487 |
| curl 8.0.1-11.74.1 | CVE-2023-46218, CVE-2023-46219 | CVE-2023-46218, CVE-2023-46219 |
| tar 1.27.1-15.21.1 | CVE-2023-39804 | CVE-2023-39804 |
| Java SE 8u361 | CVE-2023-21968, CVE-2023-21967, CVE-2023-21954, CVE-2023-21951, CVE-2023-21950, CVE-2023-21949, CVE-2023-21948, CVE-2023-21939, CVE-2023-21938, CVE-2023-21937, CVE-2023-21930 | CVE-2023-21968, CVE-2023-21967, CVE-2023-21954, CVE-2023-21951, CVE-2023-21950, CVE-2023-21949, CVE-2023-21948, CVE-2023-21939, CVE-2023-21938, CVE-2023-21937, CVE-2023-21930 |
| PostgreSQL JDBC Driver 42.2.18 | CVE-2022-26520, CVE-2022-21724, CVE-2022-31197, CVE-2022-41946 | CVE-2022-26520,CVE-2022-21724, CVE-2022-31197, CVE-2022-41946 |
| sqlite-jdbc 3.36.0.3 | CVE-2023-32697 | CVE-2023-32697 |
| hughsk/flat 4.1.1 | CVE-2020-36632 | CVE-2020-36632 |
| lodash.set 4.3.2 | CVE-2020-8203 | CVE-2020-8203 |
| vitejs 4.5.1 | CVE-2024-23331 | CVE-2024-23331 |
| ip 2.0.0 | CVE-2023-42282 | CVE-2023-42282 |
| nodeJS 20.10.0 | CVE-2024-21892, CVE-2024-22019, CVE-2024-21896, CVE-2024-22017, CVE-2023-46809, CVE-2024-21891, CVE-2024-21890, CVE-2024-22025 | CVE-2024-21892, CVE-2024-22019, CVE-2024-21896, CVE-2024-22017, CVE-2023-46809, CVE-2024-21891, CVE-2024-21890, CVE-2024-22025 |
| ibslirp0 4.7.0+44-150300.15.2 | CVE-2020-10756, CVE-2020-1983, CVE-2021-3592, CVE-2021-3593, CVE-2021-3594, CVE-2021-3595, | CVE-2020-10756, CVE-2020-1983, CVE-2021-3592, CVE-2021-3593, CVE-2021-3594, CVE-2021-3595 |
| libssh4 0.9.8-150400.3.3.1 | CVE-2023-1667, CVE-2023-2283, CVE-2023-6004, CVE-2023-6918 | CVE-2023-1667, CVE-2023-2283, CVE-2023-6004, CVE-2023-6918 |
| libpq5 16.2-150200.5.10.1 | CVE-2024-0985 | CVE-2024-0985 |
| postgresql14-server 14.11-150200.5.39.1 | CVE-2024-0985 | CVE-2024-0985 |
| postgresql14 14.11-150200.5.39.1 | CVE-2024-0985 | CVE-2024-0985 |
| libfreebl3 3.90.2-150400.3.39.1 | CVE-2023-5388 | CVE-2023-5388 |
| libsoftokn3 3.90.2-150400.3.39.1 | CVE-2023-5388 | CVE-2023-5388 |
| mozilla-nss-certs 3.90.2-150400.3.39.1 | CVE-2023-5388 | CVE-2023-5388 |
| mozilla-nss 3.90.2-150400.3.39.1 | CVE-2023-5388 | CVE-2023-5388 |
| kernel-default 5.14.21-150400.24.108.1 | CVE-2020-26555, CVE-2021-33631, CVE-2023-46838, CVE-2023-47233, CVE-2023-51042, CVE-2023-51043, CVE-2023-51779, CVE-2023-51780, CVE-2023-51782, CVE-2023-6040, CVE-2023-6121, CVE-2023-6356, CVE-2023-6531, CVE-2023-6535, CVE-2023-6536, CVE-2023-6546, CVE-2023-6606, CVE-2023-6610, CVE-2023-6622, CVE-2023-6915, CVE-2023-6931, CVE-2023-6932, CVE-2024-0340, CVE-2024-0565, CVE-2024-0641, CVE-2024-0775, CVE-2024-1085, CVE-2024-1086, CVE-2024-24860 | CVE-2020-26555, CVE-2021-33631, CVE-2023-46838, CVE-2023-47233, CVE-2023-51042, CVE-2023-51043, CVE-2023-51779, CVE-2023-51780, CVE-2023-51782, CVE-2023-6040, CVE-2023-6121, CVE-2023-6356, CVE-2023-6531, CVE-2023-6535, CVE-2023-6536, CVE-2023-6546, CVE-2023-6606, CVE-2023-6610, CVE-2023-6622, CVE-2023-6915, CVE-2023-6931, CVE-2023-6932, CVE-2024-0340, CVE-2024-0565, CVE-2024-0641, CVE-2024-0775, CVE-2024-1085, CVE-2024-1086, CVE-2024-24860 |
| bind-utils 9.16.48-150400.5.40.1 | CVE-2023-4408, CVE-2023-50387, CVE-2023-50868, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516 | CVE-2023-4408, CVE-2023-50387, CVE-2023-50868, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516 |
| python3-bind 9.16.48-150400.5.40.1 | CVE-2023-4408, CVE-2023-50387, CVE-2023-50868, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516 | CVE-2023-4408, CVE-2023-50387, CVE-2023-50868, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516 |
| slirp4netns 1.2.0-150300.8.5.2 | CVE-2019-6778, CVE-2020-10756, CVE-2020-1983, CVE-2020-29130 | CVE-2019-6778, CVE-2020-10756, CVE-2020-1983, CVE-2020-29130 |
| kernel-firmware | CVE-2019-9836, CVE-2021-26339, CVE-2021-26345, CVE-2021-26348, CVE-2021-26364, CVE-2021-26375, CVE-2021-33139, CVE-2021-46744, CVE-2021-46766, CVE-2023-20519, CVE-2023-20566 | CVE-2019-9836, CVE-2021-26339, CVE-2021-26345, CVE-2021-26348, CVE-2021-26364, CVE-2021-26375, CVE-2021-33139, CVE-2021-46744, CVE-2021-46766, CVE-2023-20519, CVE-2023-20566 |
| runc 1.1.12-150000.61.2 | CVE-2024-21626 | CVE-2024-21626 |
| java-17-openjdk-headless 17.0.10.0-150400.3.36.1 | CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20932, CVE-2024-20945, CVE-2024-20952 | CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20932, CVE-2024-20945, CVE-2024-20952 |
| docker-rootless-extras 24.0.7_ce-150000.193.1 | CVE-2024-23651, CVE-2024-23652, CVE-2024-23653 | CVE-2024-23651, CVE-2024-23652, CVE-2024-23653 |
| docker 24.0.7_ce-150000.193.1 | CVE-2024-23651, CVE-2024-23652, CVE-2024-23653 | CVE-2024-23651, CVE-2024-23652, CVE-2024-23653 |
| postfix-bdb 3.5.9-150300.5.15.1 | CVE-2023-32182 | CVE-2023-32182 |
| xen-libs 4.16.5_12-150400.4.46.1 | CVE-2023-46839 | CVE-2023-46839 |
| Openssh 8.4p1-150300.3.30.1 |
CVE-2023-51385 | CVE-2023-51385 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-25971 | Dell PowerProtect Data Manager, version 19.15, contains an XML External Entity Injection vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to information disclosure, denial-of-service. | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-25971 | Dell PowerProtect Data Manager, version 19.15, contains an XML External Entity Injection vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to information disclosure, denial-of-service. | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L |
Affected Products and Remediation
| Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|
| Dell Power Protect Data Manager | Versions prior to 19.16 | 19.16 build 04 or later | PPDM drivers and downloads |
| Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|
| Dell Power Protect Data Manager | Versions prior to 19.16 | 19.16 build 04 or later | PPDM drivers and downloads |
The Affected Products and Remediation table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
CVEs reported based on 02/27/2024 code freeze date.
CVEs reported based on 02/27/2024 code freeze date.
Revision History
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2024-03-28 | Initial Release |
Related Information
Legal Information
Article Properties
Affected Product
PowerProtect Data Manager Appliance, PowerProtect Data Manager, PowerProtect Data Manager Essentials
Last Published Date
28 Mar 2024
Version
1
Article Type
Dell Security Advisory