Multiple vulnerabilities in Dell Enterprise Hybrid Cloud



Published: 2022-08-11
Risk Critical
Patch available YES
Number of vulnerabilities 24
CVE-ID CVE-2022-31664
CVE-2022-21166
CVE-2022-21125
CVE-2022-21123
CVE-2022-22982
CVE-2022-31655
CVE-2022-31654
CVE-2022-23825
CVE-2022-23816
CVE-2022-28693
CVE-2022-29901
CVE-2022-31665
CVE-2022-31663
CVE-2022-31662
CVE-2022-31661
CVE-2022-31660
CVE-2022-31659
CVE-2022-31658
CVE-2022-31657
CVE-2022-31656
CVE-2022-31675
CVE-2022-31674
CVE-2022-31673
CVE-2022-31672
CWE-ID CWE-264
CWE-200
CWE-918
CWE-79
CWE-843
CWE-1037
CWE-94
CWE-22
CWE-89
CWE-601
CWE-287
Exploitation vector Network
Public exploit Public exploit code for vulnerability #16 is available.
Vulnerable software
Subscribe
Dell Enterprise Hybrid Cloud
Server applications / Virtualization software

Vendor Dell

Security Bulletin

This security bulletin contains information about 24 vulnerabilities.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU65990

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31664

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper privilege management. A local user can execute arbitrary code with root privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Information disclosure

EUVDB-ID: #VU64366

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21166

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists in Intel processors due to excessive data output when DirectPath I/O (PCI-Passthrough) is utilized. An attacker (both local and remote) with administrative access to a virtual machine that has an attached DirectPath I/O (PCI-Passthrough) device can obtain information stored in physical memory about the hypervisor or other virtual machines that reside on the same host.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Information disclosure

EUVDB-ID: #VU64365

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21125

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists in Intel processors due to excessive data output when DirectPath I/O (PCI-Passthrough) is utilized. An attacker (both local and remote) with administrative access to a virtual machine that has an attached DirectPath I/O (PCI-Passthrough) device can obtain information stored in physical memory about the hypervisor or other virtual machines that reside on the same host.



Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Information disclosure

EUVDB-ID: #VU64364

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21123

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists in Intel processors due to excessive data output when DirectPath I/O (PCI-Passthrough) is utilized. An attacker (both local and remote) with administrative access to a virtual machine that has an attached DirectPath I/O (PCI-Passthrough) device can obtain information stored in physical memory about the hypervisor or other virtual machines that reside on the same host.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU65211

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-22982

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Cross-site scripting

EUVDB-ID: #VU65209

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31655

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Cross-site scripting

EUVDB-ID: #VU65208

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31654

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Type Confusion

EUVDB-ID: #VU65204

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-23825

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a branch type confusion. A local user can force the branch predictor to predict the wrong branch type and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Type Confusion

EUVDB-ID: #VU65219

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-23816

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a branch type confusion. A local user can force the branch predictor to predict the wrong branch type and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Processor optimization removal or modification of security-critical code

EUVDB-ID: #VU65221

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-28693

CWE-ID: CWE-1037 - Processor optimization removal or modification of security-critical code

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to unprotected alternative channel of return branch target prediction. A local user can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Processor optimization removal or modification of security-critical code

EUVDB-ID: #VU65220

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-29901

CWE-ID: CWE-1037 - Processor optimization removal or modification of security-critical code

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the way non-transparent sharing of branch predictor targets between contexts. A local user can exploit the vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) Code Injection

EUVDB-ID: #VU65991

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31665

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when handling JDBC string. A remote privileged user can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) Cross-site scripting

EUVDB-ID: #VU65989

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31663

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

14) Path traversal

EUVDB-ID: #VU65988

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-31662

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

15) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU65987

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31661

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper privilege management. A local user can execute arbitrary code with root privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

16) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU65986

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31660

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper privilege management. A local user can execute arbitrary code with root privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

17) SQL injection

EUVDB-ID: #VU65985

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31659

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote privileged user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

18) Code Injection

EUVDB-ID: #VU65984

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31658

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when handling JDBC string. A remote privileged user can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

19) Open redirect

EUVDB-ID: #VU65983

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31657

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Exploit availability: No

Description

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

20) Improper Authentication

EUVDB-ID: #VU65957

Risk: Critical

CVSSv3.1:

CVE-ID: CVE-2022-31656

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to an error in authentication process affecting local domain users. A remote non-authenticated attacker with access to the UI can bypass authentication process and gain administrative access to the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

21) Improper Authentication

EUVDB-ID: #VU66354

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-31675

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when processing authentication requests. A remote non-authenticated attacker can bypass authentication process and create a user with administrative privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

22) Information disclosure

EUVDB-ID: #VU66353

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31674

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

23) Information disclosure

EUVDB-ID: #VU66352

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31673

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to exposure of hex dumps. A remote user can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

24) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU66351

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31672

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions. A remote user with administrative privileges can execute arbitrary code as root.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Enterprise Hybrid Cloud: before 4.1.2


CPE2.3
External links

http://www.dell.com/support/kbdoc/nl-nl/000202365/dsa-2022-216-dell-emc-enterprise-hybrid-cloud-security-update-for-multiple-third-party-component-vulnerabilities

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###