This list shows fixes based on results from 3 different scanning tools Retina, Nessus and Acunetix run against StruxureWare Data Center Operation as well as other relevant security vulnerability information related to the product. Some of these scans might also be part of official certifications like e.g. DOD RMF IT (Former DIACAP) or FIPS140.

 

Vulnerability

Answer

Affects DCOFixed in DCO

Comments

Scanning tools
ZipSlip (CVE-2018-7806)

Data Center Operation allows for the upload of a zip file from its user interface to the server. A carefully crafted, malicious file could be mistakenly uploaded by an authenticated user via this feature which could contain path traversal file names. As such, it could allow for the arbitrary upload of files contained with the zip onto the server file system outside of the intended directory. This is leveraging the more commonly known ZipSlip vulnerability within Java code.

CVSS score: 6.6. CVSS vector: AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

All versions8.2.12  

Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753CVE-2017-5715)

Affects all versions of Linux (Centos, Red Hat, and Debian). Customers are advised to upgrade to the latest version of DCO. Red Hat users should upgrade packages. More information from Red Hat

An unprivileged attacker could use this flaw to:

  • Cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks.
  • Read privileged (kernel space) memory by conducting targeted cache side-channel attacks.
  • Use guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks.
All versions8.2.2 Nessus
Dirty COW (CVE-2016-5195)

Affects all versions of Linux (Centos, Red Hat, and Debian). Customers are advised to upgrade to the latest version of DCO. Red Hat users should upgrade packages and look for more information by following the Red Hat link.

An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and increase their privileges on the system.

7.5.0, 8.0.0 and 8.0.18.0.2Red Hat CVE-2016-5195Nessus
BADLOCK (CVE-2016-2118)

Affects both Debian and Red Hat versions of StruxureWare Data Center Operation until and including version 7.5.0 when using Windows Networking Filesystem (smbfs), e.g., when using a Windows network share to store backups.

Red Hat users should upgrade packages and look for more information by following the Red Hat link.

We do not have a fix for Debian users so Debian users that use the Windows Networking Filesystem (smbfs) functionality should consider their exposure to this vulnerability and avoid using smbfs if necessary. The vulnerability will be addressed in the next release of DCO.

≤   7.5.08.0

Red Hat CVE-2016-2118

 
DROWN (CVE-2016-0800)

Affects both Debian and Red Hat versions of StruxureWare Data Center Operation until and including version 7.4.5. Red Hat users should upgrade packages even though they are already running the fixed version of StruxureWare Data Center Operation.

The vulnerability is solved with the release of version 7.5 of StruxureWare Data Center Operation .

≤   7.4.57.5

Red Hat CVE-2016-0800

 
glibc buffer overflow (CVE-2015-7547)Affects both Debian and Red Hat versions of StruxureWare Data Center Operation.≤ 7.58.0

Upgrading glibc on Debian

Red Hat CVE-2015-7547

 
Logjam (CVE-2015-4000)Affects disaster recovery nodes on Debian versions of StruxureWare Data Center Operation. Red Hat versions are not affected since they do not support disaster recovery nodes.≤ 7.58.0

Updating disaster recovery node configuration

 
OpenSSL: alternative chains certificate forgeryDoes not affects versions of StruxureWare Data Center Operation both Debian and Red Hat.  Red Hat CVE-2015-1793 
Leap Second 2015

The vulnerability affects versions of StruxureWare Data Center Operation until and including version 7.4.5.

The vulnerability is solved with the release of version 7.5 of StruxureWare Data Center Operation .

≤ 7.4.57.5Upgrading TZDATA 2015 to accommodate Leap second 
NTP (CVE-2014-9295)

The vulnerability affects versions of StruxureWare Data Center Operation until and including version 7.4.5.

The vulnerability is solved with the release of version 7.5 of StruxureWare Data Center Operation .

≤ 7.4.57.5Upgrading ntp on DCO Server to Fix CVE-2014-9295 Vulnerability 
Ghost (CVE-2015-0235)

The vulnerability affects versions of StruxureWare Data Center Operation until and including version 7.4.5 .

The vulnerability is solved with the release of version 7.5 of StruxureWare Data Center Operation .

≤ 7.4.57.5Upgrading libc on DCO Server to Fix GHOST Vulnerability 
Heartbleed (OpenSSL)StruxureWare Data Center Operation  is not affected by the Heartbleed vulnerability. In v7.4, the openSSL component has been updated to present  the latest version fixing all known vulnerabilities.    
Shellshock (CVE-2014-6271 / CVE-2014-7169)

Shellshock does not seem remotely exploitable for unprivileged users on StruxureWare Data Center Operation. We do however recommend following the guide on patching the vulnerability in the 7.4.

In the 7.4.5 release of StruxureWare Data Center Operation, bash is updated to include the fix.

Note about CVE-2014-7169: The original guide only covered CVE-2014-6271. The guide has been updated at 2014-09-29 05:00 UTC to cover both issues.

≤ 7.47.4.5

Upgrading BASH on DCO Server to Fix Shellshock Vulnerability

 

 
PoodleThe vulnerability is solved with the release of version 7.4.5 of StruxureWare Data Center Operation.≤ 7.47.4.5  

Skip to end of metadata
Go to start of metadata
RELATED COMMUNITY QUESTIONS
WAS THIS ARTICLE HELPFUL?