DSA-2025-097: Security Update for Dell ObjectScale 4.0 Multiple Vulnerabilities
Resumen: Dell ObjectScale remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
Este artículo se aplica a:
Este artículo no se aplica a:
Este artículo no está vinculado a ningún producto específico.
En este artículo no se identifican todas las versiones de los productos.
Impacto
Critical
Información adicional
As of release 4.x the ECS product name has been rebranded as ObjectScale (OBS). This Security Advisory communicates vulnerabilities affecting the 3.8.1.4 release and its prior versions. Those are remediated in the series now referred to as ObjectScale (OBS).
Detalles
|
Third-party Component |
CVEs |
More Information |
|
Apache Commons Configuration |
CVE-2024-29133, CVE-2024-29131 |
|
|
Bouncy Castle |
CVE-2023-33202, CVE-2024-34447, CVE-2024-30171, CVE-2024-30172, CVE-2024-29857, CVE-2023-33201 |
|
|
crypto/tls |
CVE-2023-45287 |
|
|
Docker |
CVE-2020-8694, CVE-2020-8695, CVE-2024-24557 |
|
|
eclipse jetty |
CVE-2024-22201, CVE-2023-44487, CVE-2021-28169, CVE-2021-34428, CVE-2021-34429, CVE-2022-2047, CVE-2022-2048, CVE-2023-26048, CVE-2023-26049, CVE-2023-36478, CVE-2023-36479, CVE-2023-40167, CVE-2023-41900 |
|
|
Expat |
CVE-2024-28757, CVE-2022-40674, CVE-2022-43680, CVE-2023-52425 |
|
|
github.com/crewjam/saml |
CVE-2022-41912, CVE-2023-28119, CVE-2023-45683 |
|
|
go.uuid |
CVE-2021-3538 |
|
|
Golang |
CVE-2022-23806, CVE-2022-41716, CVE-2021-3115, CVE-2020-28367, CVE-2020-28366 |
|
|
golang.org/x/net |
CVE-2023-44487 |
|
|
Html |
CVE-2023-3978 |
|
|
Goxmldsig |
CVE-2020-7711 |
|
|
go-yaml |
CVE-2022-28948 |
|
|
h2database |
CVE-2021-23463, CVE-2021-42392, CVE-2022-23221, CVE-2022-45868 |
|
|
Idna |
CVE-2024-3651 |
|
|
jackson-databind |
CVE-2020-36518, CVE-2022-42003, CVE-2022-42004, CVE-2021-46877, CVE-2023-35116 |
|
|
Jersey |
CVE-2021-28168 |
|
|
jose.v2 |
CVE-2024-28180 |
|
|
libseccomp2 |
CVE-2019-9893 |
|
|
logback receiver |
CVE-2023-6378 |
|
|
math/big |
CVE-2020-28362 |
|
|
net/http2 |
CVE-2023-45288, CVE-2023-39325, CVE-2022-27664, CVE-2022-41717, CVE-2022-41723 |
|
|
Netty Project |
CVE-2024-29025, CVE-2022-24823, CVE-2022-41881, CVE-2023-34462 |
|
|
Nginx |
CVE-2023-44487 |
|
|
Openssh |
CVE-2023-48795 |
|
|
Openssl |
CVE-2024-0727, CVE-2020-36242, CVE-2023-49083 |
|
|
PostgreSQL JDBC Driver (pgjdbc) |
CVE-2022-31197, CVE-2022-41946, CVE-2024-1597 |
|
|
Protobuf |
CVE-2024-24786 |
|
|
Pyopenssl |
CVE-2018-1000808, CVE-2018-1000807 |
|
|
Pytest |
CVE-2020-29651 |
|
|
python/requests |
CVE-2018-18074, CVE-2024-35195 |
|
|
python311-base |
CVE-2024-4032 |
|
|
python3-urllib3 |
CVE-2023-46218, CVE-2024-37891 |
|
|
Setuptools |
CVE-2022-40897 |
|
|
snappy-java |
CVE-2023-34453, CVE-2023-34454, CVE-2023-34455, CVE-2023-43642 |
|
|
spring-expression |
CVE-2024-38808 |
|
|
Zookeeper |
CVE-2024-23944, CVE-2023-44981 |
|
Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
|
CVE-2025-26477 |
Dell ECS version 3.8.1.4 and prior contain an Improper Input Validation vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution. |
4.3 |
|
|
CVE-2025-26478 |
Dell ECS version 3.8.1.4 and prior contain an Improper Certificate Validation vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure. |
3.1 |
|
Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
|
CVE-2025-26477 |
Dell ECS version 3.8.1.4 and prior contain an Improper Input Validation vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution. |
4.3 |
|
|
CVE-2025-26478 |
Dell ECS version 3.8.1.4 and prior contain an Improper Certificate Validation vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure. |
3.1 |
Productos afectados y corrección
|
Product |
Affected Versions |
Remediated Version |
Link |
|
Dell ObjectScale |
Versions prior to 4.0 |
Version 4.0 or later |
|
Product |
Affected Versions |
Remediated Version |
Link |
|
Dell ObjectScale |
Versions prior to 4.0 |
Version 4.0 or later |
Dell recommends all customers have their ObjectScale systems upgraded at the earliest opportunity by opening an “Operating Environment Upgrade” Service Request. Customers on ECS 3.8.1.x and ECS 3.8.0.x can upgrade directly to OBS 4.0. Customers on versions prior to ECS 3.8.x need to upgrade to ECS 3.8.x first before upgrading to OBS 4.0.
Note: Please visit the Security Update Release Schedule for Supported Versions of ObjectScale (formerly ECS) for more information.
Historial de revisiones
|
Revision |
Date |
Description |
|
1.0 |
2024-03-26 |
Initial Release |
|
2.0 |
2024-04-16 |
Revised Wording |
Información relacionada
Aviso legal
Productos afectados
ECS Appliance Hardware Gen3 EX5000, ECS Appliance Hardware Gen3 EX300, ECS Appliance Hardware Gen3 EX3000, ECS Appliance Hardware Gen2 U-Series, ECS Appliance Hardware Gen3 EX500, ECS Appliance Hardware Gen3 EXF900, ECS Appliance Hardware SeriesPropiedades del artículo
Número de artículo: 000300068
Tipo de artículo: Dell Security Advisory
Última modificación: 16 abr 2025
Encuentra las respuestas que necesitas con la ayuda de otros usuarios de Dell
Servicios de asistencia
Comprueba si tu dispositivo está cubierto por los servicios de asistencia.