Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Article Number: 000211365

DSA-2023-110: Dell Technologies PowerProtect DD Security Update for Multiple Vulnerabilities

Summary: Dell Technologies PowerProtect DD remediation is available for various security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Article Content

Impact

Critical

Details

Third-Party Component	CVE(s)	More information
Zlib	CVE-2022-37434, CVE-2018-25032	https://nvd.nist.gov/vuln/detail/CVE-2022-37434, https://nvd.nist.gov/vuln/detail/cve-2018-25032
Apache Tomcat	CVE-2022-29885, CVE-2022-34305	https://nvd.nist.gov/vuln/detail/CVE-2022-29885, https://nvd.nist.gov/vuln/detail/CVE-2022-34305
Expat	CVE-2022-40674, CVE-2022-25235, CVE-2022-25236, CVE-2022-25315, CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852	https://access.redhat.com/errata/RHSA-2022:6834, https://access.redhat.com/errata/RHSA-2022:1069
mozilla-nspr	CVE-2021-43527	https://nvd.nist.gov/vuln/detail/CVE-2021-43527
Grub2	CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734, CVE-2022-28736	https://www.suse.com/support/update/announcement/2022/suse-su-20222038-1/
Dell IDRAC9	CVE-2022-44640	DSA-2023-162

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed	Product	Affected Versions	Remediated Versions	Link
CVE-2022-29885, CVE-2022-34305, CVE-2022-40674, CVE-2022-25235, CVE-2022-25236, CVE-2022-25315, CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852	PowerProtect DD DDOS and DDMC	Versions 7.0 through 7.10	Versions 7.11.0.0 or later, or 7.7.5.11 or later to stay on LTS2022 7.7, or 7.10.1.1 or later to stay on LTS2023 7.10	For more details about DDOS versions available for download, see the links below (requires log in to Dell Support to view articles): https://www.dell.com/support/kbdoc/334649 https://www.dell.com/support/kbdoc/525902
	PowerProtect DD DDOS and DDMC	Versions prior to 6.2.1.90	Versions 6.2.1.100 and later
	PowerProtect Data Manager Appliance model: DM5500	Versions prior to 5.12	Versions 5.13 or later
CVE-2022-37434, CVE-2018-25032, CVE-2021-43527, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734, CVE-2022-28736	PowerProtect DD SmartScale	Versions 7.8 through 7.10	Versions 7.11.0.0 or later, or 7.10.1.1 or later to stay on LTS2023 7.10
CVE-2021-43527	PowerProtect DD DDOS and DDMC	Versions 7.0 through 7.11	Versions 7.11.0.0 or later, or 7.7.5.11 or later to stay on LTS2022 7.7, or 7.10.1.1 or later to stay on LTS2023 7.10
	PowerProtect DD DDOS and DDMC	Versions prior to 6.2.1.90	6.2.1.100 and later
	PowerProtect DP Series Appliance (IDPA)	Versions prior to 2.7.3	Versions 2.7.6 or later
	PowerProtect Data Manager Appliance model: DM5500	Versions prior to 5.13	Versions 5.13 or later
CVE-2022-44640	PowerProtect DD Appliance model: DD3300, DD6400, DD6900, DD9400, and DD9900	Versions 7.0 through 7.10	Versions 7.11.0.0 or later or 7.7.5.1 or later to stay on LTS2022 7.7 or 7.10.1.0 or later to stay on LTS2023 7.10
CVE-2022-29885, CVE-2022-34305, CVE-2022-40674, CVE-2022-25235, CVE-2022-25236, CVE-2022-25315, CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852	PowerProtect DP Series Appliance (IDPA)	Versions prior to 2.7.4	PowerProtect DP Series Appliance (IDPA) Versions 2.7.2, 2.7.3, and 2.7.4 with DDOS 7.7.5.20 patch	IDPA : Allowed Point Product Upgrades Procedure to upgrade DataDomainOS

CVEs Addressed	Product	Affected Versions	Remediated Versions	Link
CVE-2022-29885, CVE-2022-34305, CVE-2022-40674, CVE-2022-25235, CVE-2022-25236, CVE-2022-25315, CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852	PowerProtect DD DDOS and DDMC	Versions 7.0 through 7.10	Versions 7.11.0.0 or later, or 7.7.5.11 or later to stay on LTS2022 7.7, or 7.10.1.1 or later to stay on LTS2023 7.10	For more details about DDOS versions available for download, see the links below (requires log in to Dell Support to view articles): https://www.dell.com/support/kbdoc/334649 https://www.dell.com/support/kbdoc/525902
	PowerProtect DD DDOS and DDMC	Versions prior to 6.2.1.90	Versions 6.2.1.100 and later
	PowerProtect Data Manager Appliance model: DM5500	Versions prior to 5.12	Versions 5.13 or later
CVE-2022-37434, CVE-2018-25032, CVE-2021-43527, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734, CVE-2022-28736	PowerProtect DD SmartScale	Versions 7.8 through 7.10	Versions 7.11.0.0 or later, or 7.10.1.1 or later to stay on LTS2023 7.10
CVE-2021-43527	PowerProtect DD DDOS and DDMC	Versions 7.0 through 7.11	Versions 7.11.0.0 or later, or 7.7.5.11 or later to stay on LTS2022 7.7, or 7.10.1.1 or later to stay on LTS2023 7.10
	PowerProtect DD DDOS and DDMC	Versions prior to 6.2.1.90	6.2.1.100 and later
	PowerProtect DP Series Appliance (IDPA)	Versions prior to 2.7.3	Versions 2.7.6 or later
	PowerProtect Data Manager Appliance model: DM5500	Versions prior to 5.13	Versions 5.13 or later
CVE-2022-44640	PowerProtect DD Appliance model: DD3300, DD6400, DD6900, DD9400, and DD9900	Versions 7.0 through 7.10	Versions 7.11.0.0 or later or 7.7.5.1 or later to stay on LTS2022 7.7 or 7.10.1.0 or later to stay on LTS2023 7.10
CVE-2022-29885, CVE-2022-34305, CVE-2022-40674, CVE-2022-25235, CVE-2022-25236, CVE-2022-25315, CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852	PowerProtect DP Series Appliance (IDPA)	Versions prior to 2.7.4	PowerProtect DP Series Appliance (IDPA) Versions 2.7.2, 2.7.3, and 2.7.4 with DDOS 7.7.5.20 patch	IDPA : Allowed Point Product Upgrades Procedure to upgrade DataDomainOS

Workarounds and Mitigations

To minimize exposure of these vulnerabilities in PowerProtect DD and PowerProtect DP Series Appliance (IDPA), limit HTTPS and SSH access to Data Domain system in Administration section of GUI. Additionally, host access can be configured using the net filter CLI. Please refer to the DD OS Administration Guide and Command Reference Guide for details. PowerProtect and Data Domain core documents can be found here.

Revision History

Revision	Date	Description
1.0	2023-03-21	Initial Release
2.0	2023-03-23	Updated "Affected Product" under "Article Properties"
3.0	2023-03-27	Updated the "Updated Versions"
4.0	2023-03-28	Updated Product Table - Added Integrated DataProtect Appliance model: DP4400
5.0	2023-03-29	Updated CVE-2022-22852 to Correct CVE CVE-2022-23852
6.0	2023-04-28	Updated Affected Products and Remediation Table - Updated versions for PowerProtect DD DDOS and DDMC, Updated Versions for PowerProtect DD SmartScale, Changed Integrated DataProtect Appliance Model: DP4400 to PowerProtect DP Series Appliance (IDPA), Added PowerProtect Data Manager Appliance model: DM5500, Added CVE-2021-43527 and Products Added Work Around and Mitigation
7.0	2023-05-08	Updated Affected Products and Remediation table the Updated versions for LTS 7.7 and 7.10
8.0	2023-0614	Updated Affected Products and Remediation table replaced Next 7.7 after 7.7.5.1 to stay on LTS2022 7.7 with 7.7.5.11 and above to stay on LTS2022 7.7 for PowerProtect DD DDOS and DDMC
9.0	2023-07-05	Updated Affected Products and Remediation Table replaced Next 7.10 after 7.10.1.0 to stay on LTS2023 7.10 with 7.10.1.1 and above to stay on LTS2023 7.10
10.0	2023-07-11	Added Affected Products and Remediation for CVE-2022-44640.
11.0	2023-08-02	Updated Affected Products under Article Properties
12.0	2023-11-20	Updated the Affected Products and Remediation Table - Affected Versions, Remediated Versions, and Link for PowerProtect DP Series Appliance (IDPA) for following CVE's: CVE-2022-29885, CVE-2022-34305, CVE-2022-40674, CVE-2022-25235, CVE-2022-25236, CVE-2022-25315, CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852
13.0	2024-04-25	Updated for enhanced presentation with no changes to content
14.0	2024-04-25	Updated for enhanced presentation with no changes to content
15.0	2024-04-25	Updated for enhanced presentation with no changes to content
16.0	2024-04-25	Updated for enhanced presentation with no changes to content
17.0	2024-04-25	Updated Affected Products and Remediation section: Updated Remediated versions for Versions prior to 6.2.1.90, 2.7.3, and 5.13

Related Information

Legal Information

Article Properties

Affected Product

PowerProtect Data Protection Appliance, PowerProtect Data Manager Appliance, Data Domain, DD3300 Appliance, PowerProtect DP4400, DD OS 7.0, DD6400 Appliance, DD6900 Appliance, DD9400 Appliance, DD9900 Appliance, PowerProtect DP5300 , PowerProtect DP5800, PowerProtect DP8300, PowerProtect DP8800, PowerProtect Data Manager, PowerProtect Data Domain Management Center, PowerProtect Data Protection Software, PowerProtect Data Protection Hardware, PowerProtect DD6400, PowerProtect Data Manager Software, PowerProtect DM5500, PowerProtect DP5900, PowerProtect DP8400, PowerProtect DP8900, PowerProtect Storage Direct, PowerProtect X400 Appliance, PowerProtect Software, Product Security Information ...

Last Published Date

25 Apr 2024

Article Type

Dell Security Advisory

Welcome

Welcome to Dell