SB2022103135 - Multiple vulnerabilities in Dell EMC Data Protection Search

Security Bulletin ID SB2022103135

Severity

High

Patch available

YES

Number of vulnerabilities 29

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 29 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2020-2803)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Java component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

2) Improper input validation (CVE-ID: CVE-2020-2757)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

3) Improper input validation (CVE-ID: CVE-2020-2756)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

4) Improper input validation (CVE-ID: CVE-2020-2773)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Security component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

5) Improper input validation (CVE-ID: CVE-2020-2755)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Scripting component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

6) Improper input validation (CVE-ID: CVE-2020-2754)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Scripting component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

7) Improper input validation (CVE-ID: CVE-2020-2764)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Advanced Management Console component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

8) Improper input validation (CVE-ID: CVE-2020-2778)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

9) Improper input validation (CVE-ID: CVE-2020-2800)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Lightweight HTTP Server component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

10) Improper input validation (CVE-ID: CVE-2020-2767)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

11) Improper input validation (CVE-ID: CVE-2020-2830)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Concurrency component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

12) Improper input validation (CVE-ID: CVE-2020-2781)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the JSSE component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

13) Improper input validation (CVE-ID: CVE-2020-2816)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

14) Buffer overflow (CVE-ID: CVE-2019-18197)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the xsltCopyText() function in transform.c in libxslt. A remote attacker can create a specially crafted XML document, pass it to the affected application, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

15) Improper input validation (CVE-ID: CVE-2020-2805)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

16) Improper input validation (CVE-ID: CVE-2020-2583)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

17) Improper input validation (CVE-ID: CVE-2020-2659)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Networking component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

18) Improper input validation (CVE-ID: CVE-2020-2590)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Security component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

19) Improper input validation (CVE-ID: CVE-2020-2654)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Libraries component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

20) Improper input validation (CVE-ID: CVE-2020-2593)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Networking component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

21) Improper input validation (CVE-ID: CVE-2020-2655)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

22) Improper input validation (CVE-ID: CVE-2020-2585)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the JavaFX component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

23) Improper input validation (CVE-ID: CVE-2020-2601)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Security component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

24) Information disclosure (CVE-ID: CVE-2019-13118)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to uninitialized stack data exposure in numbers.c in libxslt library when processing an invalid character/length combination in xsltNumberFormatDecimal. A remote attacker can gain pass specially crafted data to the application using the affected library and gain access to sensitive information.

25) Information disclosure (CVE-ID: CVE-2019-13117)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to information disclosure in numbers.c in libxslt library where an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. A remote attacker can gain knowledge whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

26) Improper input validation (CVE-ID: CVE-2020-2604)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Java component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

27) Buffer overflow (CVE-ID: CVE-2019-17666)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the P2P (Wifi-Direct) functionality in rtl_p2p_noa_ie() function in drivers/net/wireless/realtek/rtlwifi/ps.c in Linux kernel when processing Notice and Absence frames. A remote attacker can send specially crafted data via the wireless network, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

28) Path traversal (CVE-ID: CVE-2019-10220)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.

29) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-3689)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insecure permissions on the " /var/lib/nfs" directory owned by statd:nogroup in the nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system.

Successful exploitation of the vulnerability may allow a local user to escalate privileges on the system.

Remediation

Install update from vendor's website.

References

https://www.dell.com/support/kbdoc/en-us/000153596/dsa-2020-148-dell-emc-data-protection-search-security-update-for-multiple-third-party-components-vulnerabilities

SB2022103135 - Multiple vulnerabilities in Dell EMC Data Protection Search

Breakdown by Severity

Description

Remediation

References

Please verify you're human