Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Article Number: 000203434


DSA-2022-264: Cloud Mobility for Dell Storage Security Update for an Insecure Database Vulnerability

Summary: Cloud Mobility for Dell Storage, versions before and including 1.3.0, contain an authorization bypass vulnerability. A nonauthorized user may potentially exploit this vulnerability, leading to complete data exposure of information stored within the products database. ...

Article Content


Impact

Medium

Details

Proprietary Code CVE Description CVSS Base Score CVSS Vector String
CVE-2022-34434 Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains an Improper Access Control vulnerability within the Postgres database. A threat actor with root level access to either the vApp or containerized versions of Cloud Mobility may potentially exploit this vulnerability, leading to the modification or deletion of tables that are required for many of the core functionalities of Cloud Mobility. Exploitation may lead to the compromise of integrity and availability of the normal functionality of the Cloud Mobility application.     6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 
Proprietary Code CVE Description CVSS Base Score CVSS Vector String
CVE-2022-34434 Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains an Improper Access Control vulnerability within the Postgres database. A threat actor with root level access to either the vApp or containerized versions of Cloud Mobility may potentially exploit this vulnerability, leading to the modification or deletion of tables that are required for many of the core functionalities of Cloud Mobility. Exploitation may lead to the compromise of integrity and availability of the normal functionality of the Cloud Mobility application.     6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed Product Affected Versions Updated Version Link to Update
CVE-2022-34434 Cloud Mobility for Dell Storage Versions before and including 1.3.0 1.3.1 AWS:
https://aws.amazon.com/marketplace/pp/prodview-puxtams7ngwwk#pdp-usage
VMware:
https://marketplace.cloud.vmware.com/services/details/cloud-mobility-for-dell-emc-storage-1-1-1-1-1?slug=true
CVEs Addressed Product Affected Versions Updated Version Link to Update
CVE-2022-34434 Cloud Mobility for Dell Storage Versions before and including 1.3.0 1.3.1 AWS:
https://aws.amazon.com/marketplace/pp/prodview-puxtams7ngwwk#pdp-usage
VMware:
https://marketplace.cloud.vmware.com/services/details/cloud-mobility-for-dell-emc-storage-1-1-1-1-1?slug=true

Workarounds and Mitigations

The vulnerability may be avoided by creating a dynamic password that is generated upon database startup and stored securely. Next the trust of all internal connections is removed, requiring connections to use the newly created password to access the database.

Revision History

RevisionDateDescription
1.009-15-2022Initial release 

Related Information


Article Properties


Affected Product

Product Security Information

Last Published Date

19 Sept 2022

Version

3

Article Type

Dell Security Advisory