DSA-2023-141: Dell Unity, Unity VSA and Unity XT Security Update for Multiple Vulnerability
Riepilogo: Dell Unity, Unity VSA and Unity XT remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
Questo articolo si applica a
Questo articolo non si applica a
Questo articolo non è legato a un prodotto specifico.
Non tutte le versioni del prodotto sono identificate in questo articolo.
Impatto
Critical
Dettagli
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-43074 | Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server. | 5.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L |
| CVE-2023-43065 | Dell Unity prior to 5.3 contains a Cross-site scripting vulnerability. A low-privileged authenticated attacker can exploit these issues to obtain escalated privileges. | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L |
| CVE-2023-43066 | Dell Unity prior to 5.3 contains a Restricted Shell Bypass vulnerability. This could allow an authenticated, local attacker to exploit this vulnerability by authenticating to the device CLI and issuing certain commands. | 5.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L |
| CVE-2023-43067 | Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. An XXE attack could potentially exploit this vulnerability disclosing local files in the file system. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2023-43082 | Dell Unity prior to 5.3 contains a 'man in the middle' vulnerability in the vmadapter component. If a customer has a certificate signed by a third-party public Certificate Authority, the vCenter CA could be spoofed by an attacker who can obtain a CA-signed certificate. | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CVE-2024-22229 | Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. An attacker could exploit this vulnerability to forge log entries, create false alarms, and inject malicious content into logs that compromise logs integrity. A malicious attacker could also prevent the product from logging information while malicious actions are performed or implicate an arbitrary user for malicious activities. | 3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-43074 | Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server. | 5.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L |
| CVE-2023-43065 | Dell Unity prior to 5.3 contains a Cross-site scripting vulnerability. A low-privileged authenticated attacker can exploit these issues to obtain escalated privileges. | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L |
| CVE-2023-43066 | Dell Unity prior to 5.3 contains a Restricted Shell Bypass vulnerability. This could allow an authenticated, local attacker to exploit this vulnerability by authenticating to the device CLI and issuing certain commands. | 5.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L |
| CVE-2023-43067 | Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. An XXE attack could potentially exploit this vulnerability disclosing local files in the file system. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2023-43082 | Dell Unity prior to 5.3 contains a 'man in the middle' vulnerability in the vmadapter component. If a customer has a certificate signed by a third-party public Certificate Authority, the vCenter CA could be spoofed by an attacker who can obtain a CA-signed certificate. | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CVE-2024-22229 | Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. An attacker could exploit this vulnerability to forge log entries, create false alarms, and inject malicious content into logs that compromise logs integrity. A malicious attacker could also prevent the product from logging information while malicious actions are performed or implicate an arbitrary user for malicious activities. | 3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
Prodotti interessati e correzione
| Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|
| Dell Unity Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell UnityVSA Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell Unity XT Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|
| Dell Unity Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell UnityVSA Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell Unity XT Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
Cronologia delle revisioni
|
Revision |
Date |
Description |
|---|---|---|
|
1.0 |
2023-05-08 |
Initial Release |
| 2.0 | 2023-09-01 | Updated for enhanced presentation with no changes to content. |
| 3.0 | 2023-10-23 | Added 4 new CVEs, CVE-2023-43074, CVE-2023-43065, CVE-2023-43066, CVE-2023-43067 under "PROPRIERTARY CODE" section |
| 4.0 | 2023-11-22 | Added 1 new CVE-2023-43082 under "PROPRIERTARY CODE" section |
| 5.0 | 2024-01-24 | Added 1 new CVE-2024-22229 under "PROPRIERTARY CODE" section |
Informazioni correlate
Dichiarazione di non responsabilità
Prodotti interessati
Dell EMC Unity, Dell Unity 300, Dell EMC Unity 300F, Dell EMC Unity 350F, Dell EMC Unity 400, Dell EMC Unity 400F, Dell Unity Operating Environment (OE), Dell EMC UnityVSA Professional Edition/Unity Cloud EditionProprietà dell'articolo
Numero articolo: 000213152
Tipo di articolo: Dell Security Advisory
Ultima modifica: 09 set 2025
Trova risposta alle tue domande dagli altri utenti Dell
Support Services
Verifica che il dispositivo sia coperto dai Servizi di supporto.