Artikelnummer: 000213011
DSA-2023-071: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities – 7.0.450
Samenvatting: Dell VxRail remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Article content
Impact
Critical
Gegevens
| Third-party Component | CVEs | More Information |
|---|---|---|
| VMware ESXi | CVE-2023-1017, CVE-2023-1018 | For more information, see VMware’s release notes. |
| Dell PowerEdge BIOS | CVE-2022-34406, CVE-2022-34407, CVE-2022-34408, CVE-2022-34409, CVE-2022-34410, CVE-2022-34411, CVE-2022-34412, CVE-2022-34413, CVE-2022-34414, CVE-2022-34415, CVE-2022-34416, CVE-2022-34417, CVE-2022-34418, CVE-2022-34419, CVE-2022-34420, CVE-2022-34421, CVE-2022-34422, CVE-2022-34423, CVE-2022-34376, CVE-2022-34377 | DSA-2022-204 |
| Dell PowerEdge BIOS | CVE-2022-38090, CVE-2022-36794, CVE-2022-36348, CVE-2022-33972, CVE-2022-33196, CVE-2022-32231, CVE-2022-30704, CVE-2022-30539, CVE-2022-26837, CVE-2022-26343, CVE-2022-21216, CVE-2021-0187 | For more information see, DSA-2023-014 |
| Dell PowerEdge BIOS | CVE-2023-20594, CVE-2023-20597 | For more information, see DSA-2023-348 |
| iDRAC8 | CVE-2022-34436 | DSA-2022-265 |
| iDRAC9 | CVE-2022-44640 | DSA-2023-162 |
| Intel | CVE-2021-33126, CVE-2021-33128, CVE-2022-28709 | Intel-SA-00593 |
| Intel | CVE-2022-36416, CVE-2022-36797 | Intel-SA-00750 |
| Spring Framework | CVE-2022-22970, CVE-2022-22971 | See NVD link below for individual scores for each CVE. https://nvd.nist.gov/ |
| OpenSSL | CVE-2023-0215 | OpenSSL |
| Cilium | CVE-2022-29179 | See NVD link below for individual scores for each CVE. https://nvd.nist.gov/ |
| SUSE | CVE-2016-3709, CVE-2017-5601, CVE-2018-10903, CVE-2018-13405, CVE-2019-1010204, CVE-2020-10735, CVE-2020-16119, CVE-2021-20251, CVE-2021-22569, CVE-2021-28153, CVE-2021-28861, CVE-2021-3530, CVE-2021-3618, CVE-2021-3648, CVE-2021-36690, CVE-2021-36976, CVE-2021-3826, CVE-2021-3928, CVE-2021-4037, CVE-2021-45078, CVE-2021-46195, CVE-2021-46848, CVE-2022-0561, CVE-2022-1664, CVE-2022-1941, CVE-2022-20008, CVE-2022-2153, CVE-2022-21618, CVE-2022-21619, CVE-2022-21624, CVE-2022-21626, CVE-2022-21628, CVE-2022-23471, CVE-2022-23491, CVE-2022-2503, CVE-2022-2519, CVE-2022-2520, CVE-2022-2521, CVE-2022-2586, CVE-2022-2601, CVE-2022-2602, CVE-2022-27191, CVE-2022-27943, CVE-2022-2795, CVE-2022-2867, CVE-2022-2868, CVE-2022-2869, CVE-2022-28693, CVE-2022-28748, CVE-2022-2964, CVE-2022-2978, CVE-2022-2980, CVE-2022-2982, CVE-2022-3037, CVE-2022-3099, CVE-2022-3105, CVE-2022-3107, CVE-2022-3108, CVE-2022-3112, CVE-2022-3115, CVE-2022-3134, CVE-2022-3153, CVE-2022-3169, CVE-2022-3171, CVE-2022-3176, CVE-2022-32221, CVE-2022-32296, CVE-2022-3234, CVE-2022-3235, CVE-2022-3239, CVE-2022-3278, CVE-2022-3296, CVE-2022-3297, CVE-2022-3303, CVE-2022-3324, CVE-2022-3352, CVE-2022-3424, CVE-2022-34266, CVE-2022-3435, CVE-2022-34526, CVE-2022-3479, CVE-2022-3491, CVE-2022-3515, CVE-2022-3520, CVE-2022-3521, CVE-2022-3524, CVE-2022-3535, CVE-2022-3542, CVE-2022-3545, CVE-2022-3564, CVE-2022-3565, CVE-2022-3567, CVE-2022-3570, CVE-2022-35737, CVE-2022-3577, CVE-2022-3586, CVE-2022-3591, CVE-2022-3594, CVE-2022-3597, CVE-2022-3598, CVE-2022-3599, CVE-2022-3621, CVE-2022-3623, CVE-2022-3625, CVE-2022-3626, CVE-2022-3627, CVE-2022-3628, CVE-2022-3629, CVE-2022-3635, CVE-2022-3643, CVE-2022-3646, CVE-2022-3649, CVE-2022-37026, CVE-2022-3705, CVE-2022-3707, CVE-2022-37454, CVE-2022-3775, CVE-2022-37966, CVE-2022-38023, CVE-2022-38126, CVE-2022-38127, CVE-2022-38177, CVE-2022-38178, CVE-2022-38533, CVE-2022-3903, CVE-2022-39189, CVE-2022-39399, CVE-2022-3970, CVE-2022-40303, CVE-2022-40304, CVE-2022-40307, CVE-2022-40674, CVE-2022-40768, CVE-2022-4095, CVE-2022-41218, CVE-2022-41222, CVE-2022-4129, CVE-2022-4139, CVE-2022-4141, CVE-2022-41674, CVE-2022-41741, CVE-2022-41742, CVE-2022-41848, CVE-2022-41849, CVE-2022-41850, CVE-2022-41858, CVE-2022-42010, CVE-2022-42011, CVE-2022-42012, CVE-2022-42328, CVE-2022-42329, CVE-2022-42432, CVE-2022-42703, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42895, CVE-2022-42896, CVE-2022-42898, CVE-2022-4292, CVE-2022-4293, CVE-2022-4304, CVE-2022-43680, CVE-2022-43750, CVE-2022-4378, CVE-2022-43945, CVE-2022-43995, CVE-2022-4450, CVE-2022-44617, CVE-2022-45061, CVE-2022-45934, CVE-2022-46285, CVE-2022-4662, CVE-2022-47520, CVE-2022-47629, CVE-2022-47929, CVE-2022-48281, CVE-2022-4883, CVE-2023-0215, CVE-2023-0266, CVE-2023-0286, CVE-2023-0767, CVE-2023-22809, CVE-2023-23454, CVE-2023-23455 | For more information, see SUSE.com |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-23694 | Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. | 4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
| CVE-2023-23693 | Dell VxRail, versions prior to 7.0.450, contains an OS command injection Vulnerability in DCManager command-line utility. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. | 6.7 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H |
| CVE-2023-32464 | Dell VxRail, versions prior to 7.0.450, contain an improper certificate validation vulnerability. A high privileged remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit. | 2.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-23694 | Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. | 4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
| CVE-2023-23693 | Dell VxRail, versions prior to 7.0.450, contains an OS command injection Vulnerability in DCManager command-line utility. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. | 6.7 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H |
| CVE-2023-32464 | Dell VxRail, versions prior to 7.0.450, contain an improper certificate validation vulnerability. A high privileged remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim’s data in transit. | 2.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
Getroffen producten en herstel
| Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|
| Dell EMC VxRail Appliance | Versions prior to 7.0.450 | Version 7.0.450 | 7.0.450 |
| Product | Affected Versions | Remediated Versions | Link |
|---|---|---|---|
| Dell EMC VxRail Appliance | Versions prior to 7.0.450 | Version 7.0.450 | 7.0.450 |
Revisiegeschiedenis
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2023-05-04 | Initial Release |
| 2.0 | 2023-05-22 | Formatting changes made |
| 3.0 | 2023-06-14 | Added CVE-2022-29179 and CVE-2023-32464 |
| 4.0 | 2023-07-14 | Amended with CVE for iDRAC vulnerability |
| 5.0 | 2023-09-01 | Updated for enhanced presentation with no changes to content, including adding icon for external links and links to CVSS calculator. |
| 6.0 | 2023-10-11 | Amended for PowerEdge and AMD Server Vulnerabilities |
| 7.0 | 2023-10-27 | Amended to add Dell PowerEdge BIOS vulnerabilities |
Verwante informatie
Juridische informatie
Artikeleigenschappen
Getroffen product
VxRail, CloudArray Virtual Edition for VxRail Appliance, VMWare Cloud on Dell EMC VxRail E560F, VMWare Cloud on Dell EMC VxRail E560N, VxRail 460 and 470 Nodes, VxRail Appliance Family, VxRail Appliance Series, VxRail G410, VxRail G Series Nodes
, VxRail D Series Nodes, VxRail D560, VxRail D560F, VxRail E Series Nodes, VxRail E460, VxRail E560, VxRail E560 VCF, VxRail E560F, VxRail E560F VCF, VxRail E560N, VxRail E560N VCF, VxRail E660, VxRail E660F, VxRail E660N, VxRail E665, VxRail E665F, VxRail E665N, VxRail G560, VxRail G560 VCF, VxRail G560F, VxRail G560F VCF, VxRail Gen2 Hardware, VxRail P Series Nodes, VxRail P470, VxRail P570, VxRail P570 VCF, VxRail P570F, VxRail P570F VCF, VxRail P580N, VxRail P580N VCF, VXRAIL P670F, VxRail P670N, VxRail P675F, VxRail P675N, VxRail S Series Nodes, VxRail S470, VxRail S570, VxRail S570 VCF, VxRail S670, VxRail Software, VxRail V Series Nodes, VxRail V470, VxRail V570, VxRail V570 VCF, VxRail V570F, VxRail V570F VCF, VXRAIL V670F, VxRail VD-4000R, VxRail VD-4000W, VxRail VD-4000Z, VxRail VD-4510C, VxRail VD-4520C, VxRail VD Series Nodes
...
Datum laatst gepubliceerd
27 okt. 2023
Versie
10
Artikeltype
Dell Security Advisory