Photograph of Dell Machine
© Hadrian/Shutterstock.com
No AI-generated content: this article is written and researched by humans
Table of contents

On September 27th, 2021, one of the venerable multinational global giants in computer technology, Dell, announced multiple software vulnerabilities affecting one of their industry-grade products. On Monday, Dell dumped a vast amount of release information for its EMC PowerProtect Data Manager product. The release report contains updates and fixes for a total of 78 security vulnerabilities affecting the product and its third-party components. Among the many vulnerabilities, the substantial list also includes some high-risk and critical risk level items. It is important to note that Dell confirmed the potential of malicious attacks in a system that is not updated to the latest official release.

Dell EMC PowerProtect Data Manager

Dell’s EMC PowerProtect Data Manager product is a microservices architecture industry-standard software that offers data protection and database protection in IT infrastructure. The software runs on hardware components, and can also be deployed to work with AWS (Amazon Web Services), Google Cloud, and Microsoft Azure to offer cloud protection. The software includes SaaS (Security-as-a-Service) monitoring solutions. Data Manager can protect databases such as; Kubernetes container, Windows NTFS, Linux, and VMware applications.

The Dell Software Vulnerability

On Dell’s Support Knowledge Base Security Advisory portal, a software vulnerability report named ‘DSA-2021-181: Dell EMC PowerProtect Data Manager Update for Multiple Security Vulnerabilities‘ was released on September 27th, 2021. Noted on the page is the following information; “Dell EMC PowerProtect Data Manager remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected systems.

Technical Details

Below is a comprehensive list that includes the affected files (third-party components) as well as their respective CVE ID vulnerability codes;

Third-Party Component CVE ID Code
MyBatis 3.4.4 CVE-2020-26945
Spring Cloud Netflix Zuul2.2.6.RELEASE CVE-2021-22113
json-smart 2.3 CVE-2021-27568
AWS SDK for Node.js v2.596.0 CVE-2020-28472
css-whatv4.0.0/css-whatv3.4.2 CVE-2021-33587
einaros/ws 6.2.2 CVE-2021-32640
engine.io 3.5.0  CVE-2020-36048
glob-parent 3.1.0 CVE-2020-28469
normalize_url v4.5.0/ normalize_url3.3.0 CVE-2021-33502
path-parse 1.0.6 CVE-2021-23343
PostCSS 7.0.35 CVE-2021-23382
CVE-2021-23368
Socket.IO Parser 3.3.2 CVE-2020-36049
UAParser.js 0.7.21 CVE-2021-27292
CVE-2020-7793
CVE-2020-7733
Apache Commons Compress 1.20 CVE-2021-36090
CVE-2021-35517
CVE-2021-35516
CVE-2021-35515
Expression Language 3.03.0.3 CVE-2021-28170
HashiCorp Consul v1.1.0 CVE-2020-7219
GoLang 1.16 CVE-2021-34558
CVE-2021-33198
CVE-2021-33197
CVE-2021-33196
CVE-2021-33195
CVE-2021-33194
CVE-2021-31525
CVE-2021-27919
CVE-2021-27918
CVE-2021-3121
CVE-2020-29652
CVE-2020-29511
CVE-2020-29510
CVE-2020-29509
CVE-2020-28852
CVE-2020-28851
libgcrypt20=1.6.1-16.77.1 CVE-2021-33560
libsystemd0=228-157.30.1
libudev1=228-157.30.1
systemd-bash-completion=228-157.30.1
systemd-sysvinit=228-157.30.1
systemd=228-157.30.1
udev=228-157.30.1
CVE-2021-33910
containerd=1.4.4-16.42.1 CVE-2021-21334
CVE-2021-32760
python3-urllib3=1.25.10-3.29.1 CVE-2021-33503
bind-utils=9.11.22-3.34.1
libbind9-161=9.11.22-3.34.1
libdns1110=9.11.22-3.34.1
libirs161=9.11.22-3.34.1
libisc1107=9.11.22-3.34.1
libisccc161=9.11.22-3.34.1
libisccfg163=9.11.22-3.34.1
liblwres161=9.11.22-3.34.1
python-bind=9.11.22-3.34.1
CVE-2021-25214
CVE-2021-25215
CVE-2021-25216
dhcp-client=4.3.3-10.22.1
dhcp=4.3.3-10.22.1
CVE-2021-25217
libX11-6=1.6.2-12.21.1
libX11-data=1.6.2-12.21.1
CVE-2021-31535
kernel-default=4.12.14-122.83.1 CVE-2020-0429
CVE-2021-3659
libmspack0=0.4-15.10.1 CVE-2018-14681
glibc-i18ndata=2.22-114.12.1
glibc-locale=2.22-114.12.1
glibc=2.22-114.12.1
CVE-2016-10228
CVE-2020-27618
CVE-2020-29562
CVE-2020-29573
CVE-2021-35942
libpython3_6m1_0=3.6.13-4.42.1
python36-base=3.6.13-4.42.1
python36=3.6.13-4.42.1
CVE-2021-3426
ucode-intel=20210525-3.35.1 CVE-2020-24489
CVE-2020-24511
CVE-2020-24512
CVE-2020-24513
libpolkit0=0.113-5.21.1
polkit=0.113-5.21.1
CVE-2021-3560
libxml2-2=2.9.4-46.46.1
libxml2-tools=2.9.4-46.46.1
CVE-2021-3541
libhogweed2=2.7.1-13.6.1
libnettle4=2.7.1-13.6.1
CVE-2021-3580
libjpeg8=8.1.2-31.25.1 CVE-2020-17541
python3-PyYAML=5.3.1-28.4.3 CVE-2020-14343
postgresql10-server=10.17-4.16.4
postgresql10=10.17-4.16.4
CVE-2021-32027
CVE-2021-32028
dbus-1-x11=1.8.22-35.2
dbus-1=1.8.22-35.2
libdbus-1-3=1.8.22-35.2
CVE-2020-35512
java-1_8_0-openjdk-headless=1.8.0.292-27.60.1 CVE-2021-2163
libpq5=13.3-3.9.3 CVE-2021-32027
CVE-2021-32028
CVE-2021-32029
curl=7.60.0-11.23.1
libcurl4=7.60.0-11.23.1
CVE-2021-22925
cpio-lang=2.11-36.9.2
cpio=2.11-36.9.2
CVE-2021-38185
libsolv-tools=0.6.37-2.33.1 CVE-2019-20387
CVE-2021-3200
sudo >= 1.8.27-4.15.1 CVE-2021-3156

Vulnerable Software Versions

Dell EMC PowerProtect Data Manager 19.8 and prior are at risk from the software weaknesses.

Important User Information

Dell Support has officially stated that fixes and remediation measures are available for the vulnerable versions of Dell EMC PowerProtect Data Manager. Users should upgrade as soon as possible to the secure version that is Dell EMC PowerProtect Manager 19.9. To update, Dell states that users must contact customer support.

Leave a comment