DSA-2024-405: Security Update for Dell Products for Multiple Vulnerabilities
Résumé: Remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise affected systems.
Impact
Critical
Détails
| Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
| CVE-2024-37143 |
Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.1.0 (for RCM 3.8.x train) and prior to RCM 3.7.6.0 (for RCM 3.7.x train), Dell PowerFlex custom node using PowerFlex Manager versions prior to 4.6.1.0, Dell InsightIQ versions prior to 5.1.1, and Dell Data Lakehouse versions prior to 1.2.0.0 contain an Improper Link Resolution Before File Access vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability to execute arbitrary code on the system. |
10.0 |
|
| CVE-2024-37144 |
Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.1.0 (for RCM 3.8.x train) and prior to RCM 3.7.6.0 (for RCM 3.7.x train), Dell PowerFlex custom node using PowerFlex Manager versions prior to 4.6.1.0, Dell InsightIQ versions prior to 5.1.1, and Dell Data Lakehouse versions prior to 1.2.0.0 contain an Insecure Storage of Sensitive Information vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure. The attacker may be able to use information disclosed to gain unauthorized access to pods within the cluster. |
8.2 |
| Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
| CVE-2024-37143 |
Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.1.0 (for RCM 3.8.x train) and prior to RCM 3.7.6.0 (for RCM 3.7.x train), Dell PowerFlex custom node using PowerFlex Manager versions prior to 4.6.1.0, Dell InsightIQ versions prior to 5.1.1, and Dell Data Lakehouse versions prior to 1.2.0.0 contain an Improper Link Resolution Before File Access vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability to execute arbitrary code on the system. |
10.0 |
|
| CVE-2024-37144 |
Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.1.0 (for RCM 3.8.x train) and prior to RCM 3.7.6.0 (for RCM 3.7.x train), Dell PowerFlex custom node using PowerFlex Manager versions prior to 4.6.1.0, Dell InsightIQ versions prior to 5.1.1, and Dell Data Lakehouse versions prior to 1.2.0.0 contain an Insecure Storage of Sensitive Information vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure. The attacker may be able to use information disclosed to gain unauthorized access to pods within the cluster. |
8.2 |
Produits concernés et mesure corrective
| Product |
Software/Firmware |
Affected Versions |
Remediated Versions |
Link |
| Dell PowerFlex appliance |
Intelligent Catalog (IC) |
Versions prior to 46.381.00 |
Version 46.381.00 or later |
|
| Dell PowerFlex appliance |
Intelligent Catalog (IC) |
Versions prior to 46.376.00 |
Version 46.376.00 or later |
|
| Dell PowerFlex rack |
Release Certification Matrix (RCM) |
Versions prior to 3.8.1.0 |
Version 3.8.1.0 or later |
|
| Dell PowerFlex rack |
Release Certification Matrix (RCM) |
Versions prior to 3.7.6.0 |
Version 3.7.6.0 or later |
|
| Dell PowerFlex custom node |
PowerFlex Manager |
Versions prior to 4.6.1.0 |
Version 4.6.1.0 or later |
|
| Dell InsightIQ |
Installation Package |
Versions prior to 5.1.1 |
Version 5.1.1 or later |
|
| Dell Data Lakehouse |
Bundle |
Versions prior to 1.2.0.0 |
Version 1.2.0.0 or later |
| Product |
Software/Firmware |
Affected Versions |
Remediated Versions |
Link |
| Dell PowerFlex appliance |
Intelligent Catalog (IC) |
Versions prior to 46.381.00 |
Version 46.381.00 or later |
|
| Dell PowerFlex appliance |
Intelligent Catalog (IC) |
Versions prior to 46.376.00 |
Version 46.376.00 or later |
|
| Dell PowerFlex rack |
Release Certification Matrix (RCM) |
Versions prior to 3.8.1.0 |
Version 3.8.1.0 or later |
|
| Dell PowerFlex rack |
Release Certification Matrix (RCM) |
Versions prior to 3.7.6.0 |
Version 3.7.6.0 or later |
|
| Dell PowerFlex custom node |
PowerFlex Manager |
Versions prior to 4.6.1.0 |
Version 4.6.1.0 or later |
|
| Dell InsightIQ |
Installation Package |
Versions prior to 5.1.1 |
Version 5.1.1 or later |
|
| Dell Data Lakehouse |
Bundle |
Versions prior to 1.2.0.0 |
Version 1.2.0.0 or later |
Solutions de contournement et mesures d’atténuation
| CVE ID |
Workaround and Mitigation |
| CVE-2024-37143 |
For remediation for PowerFlex Manager versions prior to 4.6.1 (RCMs prior to 3.7.6.0/3.8.1.0 or ICs prior to 46.376.00/46.381.00), reference KB Article 000231116 Mitigation for Powerflex Manager CVE-2024-37143 (customer login required). |
Historique des révisions
|
Revision |
Date |
Description |
|
1.0 |
2024-12-09 |
Initial Release |
|
2.0 |
2024-12-10 |
Updated Affected Products section at bottom of advisory |