Dell EMC OpenManage Enterprise False Positive Security Vulnerabilities
Riepilogo: This article provides a list of security vulnerabilities that cannot be exploited on all versions of Dell EMC OpenManage Enterprise, but which may be identified by security scanners.
Questo articolo si applica a
Questo articolo non si applica a
Questo articolo non è legato a un prodotto specifico.
Non tutte le versioni del prodotto sono identificate in questo articolo.
Tipo di articolo sulla sicurezza
Security KB
ID CVE
The CVE IDs are listed in the table below.
Riepilogo del problema
This article provides a list of security vulnerabilities that cannot be exploited on all versions of Dell EMC OpenManage Enterprise, but which may be identified by security scanners.
Raccomandazioni
The vulnerabilities that are listed in the table below are in order by the date on which Dell EMC OpenManage Enterprise Engineering determined that all versions of Dell EMC OpenManage Enterprise were not vulnerable.
| Third-party Component | CVE IDs | Summary of Vulnerability | Reason why Product is not Vulnerable | Date Determined False Positive |
| Log4j-2.16 | CVE-2021-45105 | Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to potentially cause a denial of service when a crafted string is interpreted. | Dell EMC Open Manage Enterprise log configuration is not using the context lookups (for example, ${ctx:loginId}) in the Log4j pattern layout. | December 17, 2021 |
| Log4j-2.16 | CVE-2021-44832 | Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file may potentially construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can run remote code. | Dell EMC Open Manage Enterprise team confirmed that JDBC Appender is being used, and it is not configured to use any protocol other than Java.
|
December 29, 2021 |
| Spring-mvc | CVE-2022-22965 | A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) using data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. | This vulnerability is not applicable to the Dell EMC Open Manage Enterprise due to the JDK usage, and deployment of the application are different from the prerequisites of the vulnerability. | April 8, 2022 |
| Spring-Cloud | CVE-2022-22963 | In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. | Open Manage Enterprise is not using the Spring Cloud libraries. | April 8, 2022 |
| Spring Framework | CVE-2022-22950 | In Spring Framework versions 5.3.0 - 5.3.16, 5.2.0 - 5.2.19, and earlier unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. | Open Manage Enterprise is not using SpEL and not aware of any other practical way to exploit this vulnerability. | April 8, 2022 |
Dichiarazione di non responsabilità
Prodotti interessati
Dell OpenManage Enterprise, Dell EMC OpenManage Enterprise, Product Security InformationProprietà dell'articolo
Numero articolo: 000194933
Tipo di articolo: Security KB
Ultima modifica: 12 mag 2026
Versione: 4
Trova risposta alle tue domande dagli altri utenti Dell
Support Services
Verifica che il dispositivo sia coperto dai Servizi di supporto.