Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Article Number: 000194933

Dell EMC OpenManage Enterprise False Positive Security Vulnerabilities

Summary: This article provides a list of security vulnerabilities that cannot be exploited on all versions of Dell EMC OpenManage Enterprise, but which may be identified by security scanners.

Article Content

Security Article Type

Security KB

CVE Identifier

The CVE IDs are listed in the table below.

Issue Summary

This article provides a list of security vulnerabilities that cannot be exploited on all versions of Dell EMC OpenManage Enterprise, but which may be identified by security scanners.

Recommendations

The vulnerabilities that are listed in the table below are in order by the date on which Dell EMC OpenManage Enterprise Engineering determined that all versions of Dell EMC OpenManage Enterprise were not vulnerable.
 
Third-party Component CVE IDs Summary of Vulnerability Reason why Product is not Vulnerable Date Determined False Positive
Log4j-2.16 CVE-2021-45105 Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to potentially cause a denial of service when a crafted string is interpreted. Dell EMC Open Manage Enterprise log configuration is not using the context lookups (for example, ${ctx:loginId}) in the Log4j pattern layout. December 17, 2021
Log4j-2.16 CVE-2021-44832 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file may potentially construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can run remote code. Dell EMC Open Manage Enterprise team confirmed that JDBC Appender is being used, and it is not configured to use any protocol other than Java.


 		 December 29, 2021
Spring-mvc CVE-2022-22965 A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) using data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. This vulnerability is not applicable to the Dell EMC Open Manage Enterprise due to the JDK usage, and deployment of the application are different from the prerequisites of the vulnerability. April 8, 2022
Spring-Cloud CVE-2022-22963 In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. Open Manage Enterprise is not using the Spring Cloud libraries. April 8, 2022
Spring Framework CVE-2022-22950 In Spring Framework versions 5.3.0 - 5.3.16, 5.2.0 - 5.2.19, and earlier unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. Open Manage Enterprise is not using SpEL and not aware of any other practical way to exploit this vulnerability. April 8, 2022

Legal Information

Article Properties

Affected Product

Dell OpenManage Enterprise, Dell EMC OpenManage Enterprise, Product Security Information

Last Published Date

12 Apr 2022

Version

3

Article Type

Security KB

Back to Top