SB2022110110 - Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)
Published: November 1, 2022 Updated: October 31, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 43 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2020-2830)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Concurrency component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
2) Improper input validation (CVE-ID: CVE-2019-2983)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
3) Improper input validation (CVE-ID: CVE-2019-2933)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
4) Improper input validation (CVE-ID: CVE-2019-2945)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Networking component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-11068)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to an error within the xsltCheckRead() and xsltCheckWrite() functions when processing requests from remote servers. A remote attacker can trick the victim into opening a specially crafted URL that will result in "-1 error" code but the URL itself will be processed by the application later.
Successful exploitation of the vulnerability may allow an attacker to bypass certain security restrictions and perform XXE attacks.6) Buffer overflow (CVE-ID: CVE-2019-18197)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the xsltCopyText() function in transform.c in libxslt. A remote attacker can create a specially crafted XML document, pass it to the affected application, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Improper input validation (CVE-ID: CVE-2020-2803)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Java component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
8) Improper input validation (CVE-ID: CVE-2020-2805)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
9) Improper input validation (CVE-ID: CVE-2020-2816)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
10) Improper input validation (CVE-ID: CVE-2020-2781)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the JSSE component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
11) Improper input validation (CVE-ID: CVE-2020-2767)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
12) Improper input validation (CVE-ID: CVE-2019-2978)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Networking component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
13) Improper input validation (CVE-ID: CVE-2020-2800)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Lightweight HTTP Server component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
14) Improper input validation (CVE-ID: CVE-2020-2778)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
15) Improper input validation (CVE-ID: CVE-2020-2764)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Advanced Management Console component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
16) Improper input validation (CVE-ID: CVE-2020-2754)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Scripting component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
17) Improper input validation (CVE-ID: CVE-2020-2755)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Scripting component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
18) Improper input validation (CVE-ID: CVE-2020-2773)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Security component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
19) Improper input validation (CVE-ID: CVE-2020-2756)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
20) Improper input validation (CVE-ID: CVE-2020-2757)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
21) Buffer overflow (CVE-ID: CVE-2019-11043)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in env_path_info in PHP-FPM when processing untrusted input passed via URL. A remote attacker can send a specially crafted HTTP request to the affected server, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that php-fpm is used with nginx and certain nginx configuration was applied:
- The nginx location directive forwards requests to PHP-FPM
- The fastcgi_split_path_info directive is present and includes a regular expression beginning with a ‘^’ symbol and ending with a ‘$’ symbol
- The fastcgi_param directive is used to assign the PATH_INFO variable
- There are no checks in place to determine whether or not a file exists (e.g., using try_files or an if statemen
22) Improper input validation (CVE-ID: CVE-2019-2894)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Security component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
23) Improper input validation (CVE-ID: CVE-2019-2981)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the JAXP component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
24) Improper input validation (CVE-ID: CVE-2019-2989)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Java component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
25) Type Confusion (CVE-ID: CVE-2018-9568)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a type confusion error in the sk_clone_lock() function in sock.c. A local user can run a specially crafted application to trigger memory corruption and execute arbitrary code on the target system with elevated privileges.
26) NULL pointer dereference (CVE-ID: CVE-2019-11810)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. A local user can perform a denial of service (DoS) attack.
27) Buffer overflow (CVE-ID: CVE-2019-14835)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error within the vhost/vhost_net Linux kernel module during the live migration flow when processing dirty log entries. A privileged guest user can pass descriptors with invalid length to the host when migration is on the way, trigger buffer overflow and execute arbitrary code on the host OS.
28) Improper access control (CVE-ID: CVE-2019-0155)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in Intel GPU subsystem. A local unprivileged user can perform blitter manipulation manipulation and write data to arbitrary location in kernel memory. As a result a local authenticated user can execute arbitrary code on the system with superuser privileges.
This vulnerability affects the following Intel products:
- 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families
- Intel(R) Pentium(R) Processor J, N, Silver and Gold Series
- Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series
- Intel(R) Atom(R) Processor A and E3900 Series
- Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and E-2200 Processor Families
- Intel(R) Graphics Driver for Windows before 26.20.100.6813 (DCH) or 26.20.100.6812 and before 21.20.x.5077 (aka15.45.5077)
- i915 Linux Driver for Intel(R) Processor Graphics before versions 5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201
29) Out-of-bounds write (CVE-ID: CVE-2019-14821)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in the KVM coalesced MMIO support functionality due to incorrect processing of shared indexes. A local user can run a specially crafted application to trigger an out-of-bounds write error and write data to arbitrary address in the kernel memory.
Successful vulnerability exploitation may allow an attacker to execute arbitrary code on the system with root privileges.
30) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-14287)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists in the implementation of the "sudo" application when processing commands that are configured to run with ALL keyword. A local user with privileges to use sudo for specific applications on the system can escalate privileges and run the application as root (even if precisely restricted), if user id "-1" or "4294967295" is used.
Example:
The following entry instructs sudo to allow user bob to run "/usr/bin/id" command as any user on the system but root:
myhost bob = (ALL, !root) /usr/bin/id
The following command will allow bob execute the "/usr/bin/id" command as root:
sudo -u#-1 id -u
31) Buffer overflow (CVE-ID: CVE-2020-8597)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the "eap_request" and "eap_response" functions in "eap.c" file in pppd. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
32) Improper input validation (CVE-ID: CVE-2019-2949)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Kerberos component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
33) Improper input validation (CVE-ID: CVE-2019-2958)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
34) Improper input validation (CVE-ID: CVE-2019-2973)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the JAXP component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
35) Improper input validation (CVE-ID: CVE-2019-2977)
The vulnerability allows a remote non-authenticated attacker to read memory contents or crash the application.
The vulnerability exists due to improper input validation within the Hotspot component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to read memory contents or crash the application.
36) Improper input validation (CVE-ID: CVE-2019-2975)
The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
The vulnerability exists due to improper input validation within the Scripting component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate or delete data.
37) Improper input validation (CVE-ID: CVE-2019-2999)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Javadoc component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
38) Improper input validation (CVE-ID: CVE-2019-2996)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Deployment component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
39) Improper input validation (CVE-ID: CVE-2019-2987)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the 2D component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
40) Improper input validation (CVE-ID: CVE-2019-2962)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the 2D component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
41) Improper input validation (CVE-ID: CVE-2019-2988)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the 2D component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
42) Improper input validation (CVE-ID: CVE-2019-2992)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the 2D component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
43) Improper input validation (CVE-ID: CVE-2019-2964)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Concurrency component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
Remediation
Install update from vendor's website.