SB20250520114 - Dell Data Lakehouse update for third-party components

Description

This security bulletin contains information about 30 secuirty vulnerabilities.

1) Insufficient Control Flow Management (CVE-ID: CVE-2024-25565)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient control flow management. A local attacker can perform a denial of service (DoS) attack.

2) Integer overflow (CVE-ID: CVE-2024-38796)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in PeCoffLoaderRelocateImage. A remote user on the local network can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Out-of-bounds read (CVE-ID: CVE-2024-36124)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due Snappy tries to read outside the bounds of the given byte arrays when uncompressing certain data. A remote attacker can create a non-deterministic behavior or crash the JVM.

4) Infinite loop (CVE-ID: CVE-2024-30172)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in the Ed25519 verification code. A remote attacker can pass a specially signature and public key to the application, consume all available system resources and cause denial of service conditions.

5) Improper Certificate Validation (CVE-ID: CVE-2020-9488)

The vulnerability allows a remote attacker to perform man-in-the-middle attack.

The vulnerability exists due to the Apache Log4j SMTP appender does not validate SSL certificates. A remote attacker can perform a MitM attack, intercept and decrypt network traffic.

6) Improper input validation (CVE-ID: CVE-2024-20952)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

7) Improper input validation (CVE-ID: CVE-2024-20926)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Scripting component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

8) Improper input validation (CVE-ID: CVE-2024-20918)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

9) Out-of-bounds write (CVE-ID: CVE-2024-38665)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error when processing untrusted input. A local user can trigger an out-of-bounds write and execute arbitrary code with escalated privileges.

10) Protection mechanism failure (CVE-ID: CVE-2024-38660)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient implementation of security measures in the Sub-Page write Permissions (SPP). A local user can escalate privileges on the system.

11) Protection mechanism failure (CVE-ID: CVE-2024-36242)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient implementation of security measures in the Sub-Page write Permissions (SPP). A local user can execute arbitrary code with elevated privileges.

12) Buffer overflow (CVE-ID: CVE-2024-34170)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted input. A local user can trigger memory corruption and perform a denial of service (DoS) attack.

13) Untrusted Pointer Dereference (CVE-ID: CVE-2024-34023)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to untrusted pointer dereference error. A local user can perform a denial of service (DoS) attack.

14) Input validation error (CVE-ID: CVE-2024-31068)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper Finite State Machines (FSMs) in Hardware Logic. A local administrator can pass specially crafted input to the application and perform a denial of service (DoS) attack.

15) Buffer overflow (CVE-ID: CVE-2024-23919)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.

16) Use-after-free (CVE-ID: CVE-2023-42363)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the xasprintf() function in xfuncs_printf.c. A remote attacker can trick the victim to pass a specially crafted input to the application and crash it.

17) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2024-27457)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper check for unusual or exceptional conditions. A local administrator can send specially crafted data to the application and disclose sensitive information.

18) Missing Encryption of Sensitive Data (CVE-ID: CVE-2023-45285)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to a fallback to insecure git. Using "go get" to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and  git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. OPROXY=off).

19) Input validation error (CVE-ID: CVE-2023-39323)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when processing line directives (e.g. "//line") in the code. A remote attacker can bypass restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build".

20) Code Injection (CVE-ID: CVE-2023-29405)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists within Go runtime when running "go get" on a malicious module, or when running any other
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.

21) Code Injection (CVE-ID: CVE-2023-29404)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists within Go runtime when running "go get" on a malicious module, or when running any other
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.

22) Code Injection (CVE-ID: CVE-2023-29402)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the cgo go command when building code that contains directories with newline characters in their names. A remote attacker can pass specially crafted input to the cgo command at build time and potentially compromise the system.

Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

23) Input validation error (CVE-ID: CVE-2022-41716)

The vulnerability allows a local user to execute arbitrary OS commands on the system.

The vulnerability exists due to insecure processing of unsanitized NUL values in syscall.StartProcess and os/exec.Cmd. A local user on the Windows operating system can set a specially crafted environment variable and execute arbitrary OS commands on the system.

24) Off-by-one (CVE-ID: CVE-2024-52533)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an off-by-one error in gio/gsocks4aproxy.c when handling responses from SOCKS4 proxy. A remote attacker can trick the victim into connecting to a malicious SOCKS4 proxy server, trigger an off-by-one error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

25) LDAP injection (CVE-ID: CVE-2022-46337)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper input validation when processing DLAP queries. A remote non-authenticated attacker can send a specially crafted LDAP query to the application, bypass authentication process and gain unauthorized access to the application.

26) Security restrictions bypass (CVE-ID: CVE-2018-1313)

The vulnerability allows a remote unauthenticated attacker to bypass security restrictions to the target system.

The weakness exists in the Network Server component due to improper security restrictions. If the Derby Network Server is started without specifying a security manager, the Derby Network Server will install a default Java security manager that enforces a basic policy. A remote attacker can send a specially crafted packet and cause the system to boot a database for which the location and contents of the database are under the attacker's control.

27) Stack-based buffer overflow (CVE-ID: CVE-2023-51074)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary error in the Criteria.parse() method. A remote unauthenticated attacker can trigger stack-based buffer overflow and perform a denial of service attack.

28) Heap-based buffer overflow (CVE-ID: CVE-2023-42366)

The vulnerability allows a remote attacker to crash the application.

The vulnerability exists due to a boundary error within the next_token() function at awk.c. A remote attacker can trick the victim to pass a specially crafted file, trigger a heap-based buffer overflow and perform a denial of service (DoS) attack.

29) Use-after-free (CVE-ID: CVE-2023-42365)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the copyvar() function in awk.c. A remote attacker can trick the victim to pass a specially crafted awk pattern to the application and crash it.

30) Use-after-free (CVE-ID: CVE-2023-42364)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the evaluate() function in awk.c. A remote attacker can trick the victim to pass a specially crafted awk pattern to the application and crash it.

Remediation

Install update from vendor's website.

References

• https://www.dell.com/support/kbdoc/nl-nl/000308929/dsa-2025-184-security-update-for-dell-data-lakehouse-multiple-third-party-component-vulnerabilities