Dell EMC OpenManage Enterprise Services False Positive Security Vulnerabilities

Summary: This article provides a list of security vulnerabilities that cannot be exploited on the Dell EMC OpenManage Enterprise Services 1.2.1 and earlier versions but which may be identified by security scanners. ...

Bu makale şunlar için geçerlidir: Bu makale şunlar için geçerli değildir: Bu makale, belirli bir ürüne bağlı değildir. Bu makalede tüm ürün sürümleri tanımlanmamıştır.
Diğer kaynaklara göz atın

Security Article Type

Security KB

CVE Identifier

The CVE IDs are listed in the table below.

Issue Summary

This article provides a list of security vulnerabilities that cannot be exploited on Dell EMC Open Manage Enterprise Services 1.2.1 and earlier versions but which may be identified by security scanners.

Details

See the 'Recommendation' section below for details on each CVE.

Recommendations

The vulnerabilities listed in the table below are in order by the date on which Dell EMC OpenManage Enterprise Services Engineering determined that Dell EMC OpenManage Enterprise Services version 1.2.1 and earlier versions were not vulnerable. 
 
Third-party Component CVE IDs Summary of Vulnerability Reason why Product is not Vulnerable Date Determined False Positive
Log4j-2.16 CVE-2021-45105 Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This may allow an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was addressed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Details from https://logging.apache.org/log4j/2.x/security.html:
Alternatively, this infinite recursion issue can be mitigated in configuration:
  • In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
  • Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
 Dell EMC OpenManage Enterprise Services is not using context lookup in pattern layout logging configuration. Dec. 17, 2021
Log4j-2.16 CVE-2021-44832 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file may construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. Dell EMC OpenManage Enterprise Services (OMES) does not use JDBCAppender configurations. Jan. 6, 2022

Additional Information

Note: Dell EMC OpenManage Enterprise Services version 1.2.2 released on February 8, 2022 includes the update to Log4j 2.17.1. Dell EMC OpenManage Enterprise Services version 1.2.2 download link: https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=99M1R.

Yasal Uyarı

Etkilenen Ürünler

OpenManage Enterprise Services, Product Security Information
Makale Özellikleri
Article Number: 000195420
Article Type: Security KB
Son Değiştirme: 14 Şub 2022
Version:  2
Sorularınıza diğer Dell kullanıcılarından yanıtlar bulun
Destek Hizmetleri
Aygıtınızın Destek Hizmetleri kapsamında olup olmadığını kontrol edin.