DSA-2023-141: Dell Unity, Unity VSA and Unity XT Security Update for Multiple Vulnerability
概要: Dell Unity, Unity VSA and Unity XT remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
この記事は次に適用されます:
この記事は次には適用されません:
この記事は、特定の製品に関連付けられていません。
すべての製品パージョンがこの記事に記載されているわけではありません。
影響
Critical
詳細
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-43074 | Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server. | 5.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L |
| CVE-2023-43065 | Dell Unity prior to 5.3 contains a Cross-site scripting vulnerability. A low-privileged authenticated attacker can exploit these issues to obtain escalated privileges. | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L |
| CVE-2023-43066 | Dell Unity prior to 5.3 contains a Restricted Shell Bypass vulnerability. This could allow an authenticated, local attacker to exploit this vulnerability by authenticating to the device CLI and issuing certain commands. | 5.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L |
| CVE-2023-43067 | Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. An XXE attack could potentially exploit this vulnerability disclosing local files in the file system. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2023-43082 | Dell Unity prior to 5.3 contains a 'man in the middle' vulnerability in the vmadapter component. If a customer has a certificate signed by a third-party public Certificate Authority, the vCenter CA could be spoofed by an attacker who can obtain a CA-signed certificate. | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CVE-2024-22229 | Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. An attacker could exploit this vulnerability to forge log entries, create false alarms, and inject malicious content into logs that compromise logs integrity. A malicious attacker could also prevent the product from logging information while malicious actions are performed or implicate an arbitrary user for malicious activities. | 3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-43074 | Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server. | 5.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L |
| CVE-2023-43065 | Dell Unity prior to 5.3 contains a Cross-site scripting vulnerability. A low-privileged authenticated attacker can exploit these issues to obtain escalated privileges. | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L |
| CVE-2023-43066 | Dell Unity prior to 5.3 contains a Restricted Shell Bypass vulnerability. This could allow an authenticated, local attacker to exploit this vulnerability by authenticating to the device CLI and issuing certain commands. | 5.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L |
| CVE-2023-43067 | Dell Unity prior to 5.3 contains an XML External Entity injection vulnerability. An XXE attack could potentially exploit this vulnerability disclosing local files in the file system. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2023-43082 | Dell Unity prior to 5.3 contains a 'man in the middle' vulnerability in the vmadapter component. If a customer has a certificate signed by a third-party public Certificate Authority, the vCenter CA could be spoofed by an attacker who can obtain a CA-signed certificate. | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CVE-2024-22229 | Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. An attacker could exploit this vulnerability to forge log entries, create false alarms, and inject malicious content into logs that compromise logs integrity. A malicious attacker could also prevent the product from logging information while malicious actions are performed or implicate an arbitrary user for malicious activities. | 3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
影響を受ける製品と修復
| Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|
| Dell Unity Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell UnityVSA Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell Unity XT Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|
| Dell Unity Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell UnityVSA Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
| Dell Unity XT Operating Environment (OE) | Versions prior to 5.3.0.0.5.120 | Version 5.3.0.0.5.120 | https://www.dell.com/support/home/product-support/product/unity-all-flash-family/drivers |
変更履歴
|
Revision |
Date |
Description |
|---|---|---|
|
1.0 |
2023-05-08 |
Initial Release |
| 2.0 | 2023-09-01 | Updated for enhanced presentation with no changes to content. |
| 3.0 | 2023-10-23 | Added 4 new CVEs, CVE-2023-43074, CVE-2023-43065, CVE-2023-43066, CVE-2023-43067 under "PROPRIERTARY CODE" section |
| 4.0 | 2023-11-22 | Added 1 new CVE-2023-43082 under "PROPRIERTARY CODE" section |
| 5.0 | 2024-01-24 | Added 1 new CVE-2024-22229 under "PROPRIERTARY CODE" section |
関連情報
法的免責事項
対象製品
Dell EMC Unity, Dell Unity 300, Dell EMC Unity 300F, Dell EMC Unity 350F, Dell EMC Unity 400, Dell EMC Unity 400F, Dell Unity Operating Environment (OE), Dell EMC UnityVSA Professional Edition/Unity Cloud Edition文書のプロパティ
文書番号: 000213152
文書の種類: Dell Security Advisory
最終更新: 09 9月 2025
質問に対する他のDellユーザーからの回答を見つける
サポート サービス
お使いのデバイスがサポート サービスの対象かどうかを確認してください。