Risk | High |
Patch available | YES |
Number of vulnerabilities | 18 |
CVE-ID | CVE-2017-5648 CVE-2018-8034 CVE-2018-8014 CVE-2018-1336 CVE-2018-1305 CVE-2018-1304 CVE-2017-12617 CVE-2017-7674 CVE-2017-5664 CVE-2017-5647 CVE-2016-8735 CVE-2016-6817 CVE-2016-6816 CVE-2016-6797 CVE-2016-6796 CVE-2016-6794 CVE-2016-5018 CVE-2016-0762 |
CWE-ID | CWE-284 CWE-264 CWE-200 CWE-835 CWE-20 CWE-119 CWE-863 |
Exploitation vector | Network |
Public exploit |
Vulnerability #7 is being exploited in the wild. Vulnerability #11 is being exploited in the wild. Public exploit code for vulnerability #13 is available. Public exploit code for vulnerability #17 is available. |
Vulnerable software Subscribe |
EMC Cloud Tiering Appliance Other software / Other software solutions |
Vendor | Dell |
Security Bulletin
This security bulletin contains information about 18 vulnerabilities.
EUVDB-ID: #VU6675
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5648
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to the failure to use the appropriate facade object by certain application listener calls. A remote attacker can access and modify arbitrary data.
Install update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU13992
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-8034
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to host name verification when using TLS with the WebSocket client was missing. A remote unauthenticated attacker can bypass security restrictions when using TLS.
MitigationInstall update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU12798
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-8014
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionsupportsCredentials
for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. A remote attacker can access important data.Install update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU13986
Risk: Medium
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1336
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to improper handing of overflow in the UTF-8 decoder with supplementary characters. A remote attacker can send trigger an infinite loop in the decoder and cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU10706
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1305
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to security constraints defined by annotations of Servlets are only applied once a Servlet had been loaded. A remote attacker can supply a specially crafted URL pattern and any URLs below that point, bypass security restrictions and gain unauthorised access to arbitrary resources.
Install update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU10707
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1304
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to the URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled when used as part of a security constraint definition. A remote attacker can supply a specially crafted URL, bypass security restrictions and gain unauthorised access to web application resources.
Install update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU8669
Risk: High
CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2017-12617
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to insufficient validation of user-supplied input when running with HTTP PUTs enabled. A remote attacker can send a specially crafted request to upload a JSP file to the server and execute arbitrary code on the system.
Successful exploitation of the vulnerability may result in full system compromise.
Install update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
EUVDB-ID: #VU8697
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7674
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct client and server side cache poisoning.
The weakness exists due to the failure to add an HTTP Vary header indicating that the response varies depending on Origin by the CORS Filter. A remote attacker can trick the victim to follow a specially crafted link and conduct client and server side cache poisoning.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks
Install update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU6950
Risk: Low
CVSSv3.1: 5.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5664
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to improper handling of certain HTTP request methods for static error pages in Default Servlet. A remote attacker can bypass HTTP method restrictions and cause the error page to be deleted or replaced.
Successful exploitation of the vulnerability results in information modification.
Install update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU6674
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5647
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. A remote attacker can cause responses to appear to be sent for the wrong request.
Install update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU1183
Risk: Medium
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2016-8735
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists within JmxRemoteLifecycleListener listener component due to usage of vulnerable Oracle code, fixed in CVE-2016-3427. A remote unauthenticated attacker with ability to connect to vulnerable listener can execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to gain complete control over vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
EUVDB-ID: #VU1185
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-6817
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
Description
The vulnerability allows a remote attacker to perform a DoS attack.
The vulnerability exists due to boundary error when parsing HTTP/2 headers. A remote attacker can send a specially crafted HTTP/2 header longer than available buffer and trigger infinite loop.
Successful exploitation of the vulnerability may result in denial of service.
MitigationInstall update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU1184
Risk: Low
CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-6816
CWE-ID:
CWE-200 - Information exposure
Exploit availability: Yes
Description
The vulnerability allows a remote attacker to manipulate HTTP responses.
The vulnerability exists due to incorrect parsing of HTTP requests. A remote attacker can send a specially crafted HTTP request containing specially crafted characters and perform XSS attacks, manipulate HTTP responses or obtain potentially sensitive data, belonging to other sessions.
Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information, but requires presence of a proxy server, which does not block injected characters.
MitigationInstall update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU64585
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-6797
CWE-ID:
CWE-863 - Incorrect Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to ResourceLinkFactory implementation in Apache Tomcat does not limit web application access to global JNDI resources to those resources explicitly linked to the web application. A remote unauthenticated attacker can access any global JNDI resource whether an explicit ResourceLink had been configured or not.
MitigationInstall update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU1092
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-6796
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows an application to bypass security manager restrictions on the target system.
The weakness improper access control. By modifying of configuration parameters for the JSP Servlet, a malicious application can bypass a configured SecurityManager.
Successful exploitation of the vulnerability results in security bypass.
Install update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU1090
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-6794
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows an application to obtain potentially sensitive information on the target system.
The weakness is due to insufficient accesss control. By invoking the system property replacement feature, a malicious application can bypass a configured SecurityManager and read potentially sensitive system properties.
Successful exploitation of the vulnerability results in disclosure of important data on the vulnerable system.
Install update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU1093
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-5018
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows an application to bypass security manager restrictions on the target system.
The weakness improper access control. By invoking a certain Tomcat utility method, a malicious application can bypass a configured SecurityManager.
Successful exploitation of the vulnerability results in security bypass.
Install update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU55165
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0762
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Provisioning (Apache Tomcat) component in Oracle Communications Diameter Signaling Router (DSR). A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsEMC Cloud Tiering Appliance: before 13.1.0.2.20
CPE2.3http://www.dell.com/support/kbdoc/en-us/000193541/dsa-2021-248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.