Article Number: 000207177
DSA-2022-340: Dell Unisphere for PowerMax, Dell Unisphere for PowerMax vApp, Dell Solutions Enabler vApp, Dell Unisphere 360, Dell VASA Provider vApp, and Dell PowerMax EMB Mgmt Security Update for Multiple Vulnerabilities
Summary: Dell Unisphere for PowerMax, Dell Unisphere for PowerMax Virtual Appliance, Dell Solutions Enabler, Dell Solutions Enabler Virtual Appliance, Dell Unisphere 360, Dell VASA Provider Virtual Appliance, and Dell PowerMax Embedded Management remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system. ...
Article Content
Impact
High
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String | |
| CVE-2022-45104 | Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solutions Enabler vApp version 9.2.3.x contains an Improper Input Validation in vApp Manager’s Download Logs feature. A low privileged remote attacker may potentially exploit this vulnerability, leading to obtaining Remote Code Execution on the underlying system. | 8.0 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | |
| CVE-2022-34397 | Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solutions Enabler vApp version 10.0.0.2 and earlier contains an authorization bypass vulnerability, allowing users to perform actions for which they are not authorized. | 6.9 | CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N | |
| CVE-2022-45103 | Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solutions Enabler vApp version 9.2.3.x contains an Improper Input Validation in vApp Manager’s Download Logs feature. A low privileged remote attacker may potentially exploit this vulnerability, leading to an authenticated user to read arbitrary files on the underlying file system. | 5.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N | |
| CVE-2022-34363 | Dell Unisphere for PowerMax vApp version prior to 10.0.0.2, contains an authorization bypass vulnerability in the Unisphere for VMAX application running in vApp | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
| Third-party Component | CVEs | More information |
| Apache Commons Text | CVE-2022-42889 | https://nvd.nist.gov/vuln/detail/CVE-2022-42889  |
| Apache Commons Configuration | CVE-2022-33980 | https://nvd.nist.gov/vuln/detail/CVE-2022-33980 |
| Oxygen XML WebHelp | CVE-2021-46827 | https://nvd.nist.gov/vuln/detail/CVE-2021-46827 |
| SLES 12 SP5 (9.2.3) | ||
| SLES 15 SP3 | See SUSE Update Advisories. | |
| Oracle | CVE-2022-32215, CVE-2022-21634, CVE-2022-21597, CVE-2022-21628, CVE-2022-21626, CVE-2022-21618, CVE-2022-39399, CVE-2022-21624, CVE-2022-21619 |
See NVD (http://nvd.nist.gov/ ) for individual scores for each CVE. |
| Windows 10 | CVE-2022-38041, CVE-2022-38040, CVE-2022-38045, CVE-2022-37995, CVE-2022-38022, CVE-2022-38028, CVE-2022 34689, CVE-2022-38026, CVE-2022-37986, CVE-2022-33645, CVE-2022-30198, CVE-2022-38043, CVE-2022-37987, CVE-2022-38021, CVE-2022-37984, CVE-2022-33635, CVE-2022-33634, CVE-2022-35770, CVE-2022-37975, CVE-2022-37994, CVE-2022-37965, CVE-2022-24504, CVE-2022-37997, CVE-2022-38042, CVE-2022-37993, CVE-2022-37991, CVE-2022-37990, CVE-2022-38038, CVE-2022-37989, CVE-2022-38037, CVE-2022-37988, CVE-2022-38033, CVE-2022-38032, CVE-2022-38031, CVE-2022-37982, CVE-2022-38029, CVE-2022-37977, CVE-2022-38034, CVE-2022-37978, CVE-2022-37970, CVE-2022-37983, CVE-2022-38016, CVE-2022-38030, CVE-2022-38039, CVE-2022-41081, CVE-2022-41033, CVE-2022-37981, CVE-2022-38003, CVE-2022-38051, CVE-2022-38050, CVE-2022-38000, CVE-2022-37996, CVE-2022-38027, CVE-2022-38044, CVE-2022-37999, CVE-2022-38047, CVE-2022-35803, CVE-2022-38006, CVE-2022-37958, CVE-2022-38005, CVE-2022-37957, CVE-2022-38004, CVE-2022-37956, CVE-2022-37955, CVE-2022-37954, CVE-2022-34734, CVE-2022-34733, CVE-2022-34732, CVE-2022-34731, CVE-2022-34730, CVE-2022-34729, CVE-2022-34728, CVE-2022-34727, CVE-2022-34726, CVE-2022-34725, CVE-2022-34722, CVE-2022-34721, CVE-2022-34720, CVE-2022-34719, CVE-2022-34718, CVE-2022-35841, CVE-2022-35840, CVE-2022-35837, CVE-2022-35836, CVE-2022-35835, CVE-2022-35834, CVE-2022-35833, CVE-2022-35832, CVE-2022-35831, CVE-2022-30200, CVE-2022-30196, CVE-2022-30170, CVE-2022-26928, CVE-2022-37969, CVE-2022-35822, CVE-2022-34711, CVE-2022-35771, CVE-2022-35794, CVE-2022-35766, CVE-2022-35765, CVE-2022-35764, CVE-2022-35760, CVE-2022-35754, CVE-2022-35820, CVE-2022-35768, CVE-2022-35767, CVE-2022-35769, CVE-2022-33670, CVE-2022-35793, CVE-2022-35757, CVE-2022-35797, CVE-2022-35763, CVE-2022-34703, CVE-2022-35795, CVE-2022-35792, CVE-2022-35762, CVE-2022-35761, CVE-2022-35759, CVE-2022-35758, CVE-2022-35756, CVE-2022-35755, CVE-2022-35753, CVE-2022-35752, CVE-2022-35750, CVE-2022-35749, CVE-2022-35747, CVE-2022-35746, CVE-2022-35745, CVE-2022-35744, CVE-2022-35743, CVE-2022-34714, CVE-2022-34713, CVE-2022-34710, CVE-2022-34709, CVE-2022-34708, CVE-2022-34707, CVE-2022-34706, CVE-2022-34705, CVE-2022-34704, CVE-2022-34702, CVE-2022-34701, CVE-2022-34699, CVE-2022-34691, CVE-2022-34690, CVE-2022-34302, CVE-2022-30194, CVE-2022-30144, CVE-2022-30133, CVE-2022-30197, CVE-2022-34301, CVE-2022-34303, CVE-2022-22035, CVE-2022-37985 |
See NVD (http://nvd.nist.gov/ ) for individual scores for each CVE. |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String | |
| CVE-2022-45104 | Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solutions Enabler vApp version 9.2.3.x contains an Improper Input Validation in vApp Manager’s Download Logs feature. A low privileged remote attacker may potentially exploit this vulnerability, leading to obtaining Remote Code Execution on the underlying system. | 8.0 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | |
| CVE-2022-34397 | Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solutions Enabler vApp version 10.0.0.2 and earlier contains an authorization bypass vulnerability, allowing users to perform actions for which they are not authorized. | 6.9 | CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N | |
| CVE-2022-45103 | Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solutions Enabler vApp version 9.2.3.x contains an Improper Input Validation in vApp Manager’s Download Logs feature. A low privileged remote attacker may potentially exploit this vulnerability, leading to an authenticated user to read arbitrary files on the underlying file system. | 5.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N | |
| CVE-2022-34363 | Dell Unisphere for PowerMax vApp version prior to 10.0.0.2, contains an authorization bypass vulnerability in the Unisphere for VMAX application running in vApp | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
| Third-party Component | CVEs | More information |
| Apache Commons Text | CVE-2022-42889 | https://nvd.nist.gov/vuln/detail/CVE-2022-42889 |
| Apache Commons Configuration | CVE-2022-33980 | https://nvd.nist.gov/vuln/detail/CVE-2022-33980 |
| Oxygen XML WebHelp | CVE-2021-46827 | https://nvd.nist.gov/vuln/detail/CVE-2021-46827 |
| SLES 12 SP5 (9.2.3) | ||
| SLES 15 SP3 | See SUSE Update Advisories. | |
| Oracle | CVE-2022-32215, CVE-2022-21634, CVE-2022-21597, CVE-2022-21628, CVE-2022-21626, CVE-2022-21618, CVE-2022-39399, CVE-2022-21624, CVE-2022-21619 |
See NVD (http://nvd.nist.gov/ ) for individual scores for each CVE. |
| Windows 10 | CVE-2022-38041, CVE-2022-38040, CVE-2022-38045, CVE-2022-37995, CVE-2022-38022, CVE-2022-38028, CVE-2022 34689, CVE-2022-38026, CVE-2022-37986, CVE-2022-33645, CVE-2022-30198, CVE-2022-38043, CVE-2022-37987, CVE-2022-38021, CVE-2022-37984, CVE-2022-33635, CVE-2022-33634, CVE-2022-35770, CVE-2022-37975, CVE-2022-37994, CVE-2022-37965, CVE-2022-24504, CVE-2022-37997, CVE-2022-38042, CVE-2022-37993, CVE-2022-37991, CVE-2022-37990, CVE-2022-38038, CVE-2022-37989, CVE-2022-38037, CVE-2022-37988, CVE-2022-38033, CVE-2022-38032, CVE-2022-38031, CVE-2022-37982, CVE-2022-38029, CVE-2022-37977, CVE-2022-38034, CVE-2022-37978, CVE-2022-37970, CVE-2022-37983, CVE-2022-38016, CVE-2022-38030, CVE-2022-38039, CVE-2022-41081, CVE-2022-41033, CVE-2022-37981, CVE-2022-38003, CVE-2022-38051, CVE-2022-38050, CVE-2022-38000, CVE-2022-37996, CVE-2022-38027, CVE-2022-38044, CVE-2022-37999, CVE-2022-38047, CVE-2022-35803, CVE-2022-38006, CVE-2022-37958, CVE-2022-38005, CVE-2022-37957, CVE-2022-38004, CVE-2022-37956, CVE-2022-37955, CVE-2022-37954, CVE-2022-34734, CVE-2022-34733, CVE-2022-34732, CVE-2022-34731, CVE-2022-34730, CVE-2022-34729, CVE-2022-34728, CVE-2022-34727, CVE-2022-34726, CVE-2022-34725, CVE-2022-34722, CVE-2022-34721, CVE-2022-34720, CVE-2022-34719, CVE-2022-34718, CVE-2022-35841, CVE-2022-35840, CVE-2022-35837, CVE-2022-35836, CVE-2022-35835, CVE-2022-35834, CVE-2022-35833, CVE-2022-35832, CVE-2022-35831, CVE-2022-30200, CVE-2022-30196, CVE-2022-30170, CVE-2022-26928, CVE-2022-37969, CVE-2022-35822, CVE-2022-34711, CVE-2022-35771, CVE-2022-35794, CVE-2022-35766, CVE-2022-35765, CVE-2022-35764, CVE-2022-35760, CVE-2022-35754, CVE-2022-35820, CVE-2022-35768, CVE-2022-35767, CVE-2022-35769, CVE-2022-33670, CVE-2022-35793, CVE-2022-35757, CVE-2022-35797, CVE-2022-35763, CVE-2022-34703, CVE-2022-35795, CVE-2022-35792, CVE-2022-35762, CVE-2022-35761, CVE-2022-35759, CVE-2022-35758, CVE-2022-35756, CVE-2022-35755, CVE-2022-35753, CVE-2022-35752, CVE-2022-35750, CVE-2022-35749, CVE-2022-35747, CVE-2022-35746, CVE-2022-35745, CVE-2022-35744, CVE-2022-35743, CVE-2022-34714, CVE-2022-34713, CVE-2022-34710, CVE-2022-34709, CVE-2022-34708, CVE-2022-34707, CVE-2022-34706, CVE-2022-34705, CVE-2022-34704, CVE-2022-34702, CVE-2022-34701, CVE-2022-34699, CVE-2022-34691, CVE-2022-34690, CVE-2022-34302, CVE-2022-30194, CVE-2022-30144, CVE-2022-30133, CVE-2022-30197, CVE-2022-34301, CVE-2022-34303, CVE-2022-22035, CVE-2022-37985 |
See NVD (http://nvd.nist.gov/ ) for individual scores for each CVE. |
Affected Products and Remediation
Acknowledgements
CVE-2022-45103, CVE-2022-45104: Dell Technologies would like to thank Antoine Carrincazeaux of Synacktiv for reporting these issues.
CVE-2022-34363: Dell Technologies would like to thank Cristian Mocanu at Deloitte for reporting this issue.
CVE-2022-34397: Dell Technologies would like to thank Mateusz Dabrowski for reporting this issue.
Revision History
| Revision | Date | Description |
| 1.0 | 2023-01-04 | Initial Version |
| 2.0 | 2023-01-10 | Minor Update to Acknowledgements |
| 3.0 | 2023-03-02 | Update Proprietary Code CVE |
| 4.0 | 2023-12-01 | formatting changes with content update. |
Related Information
Legal Information
Article Properties
Affected Product
PowerMax, PowerMax, PowerMax 2000, PowerMax 2500, PowerMax 8000, PowerMax 8500, PowerMax Engine, PowerMaxOS 10, PowerMaxOS 5978, Product Security Information, Unisphere for PowerMax
Last Published Date
08 Feb 2024
Article Type
Dell Security Advisory