This list shows fixes based on results from 3 different scanning tools Retina, Nessus and Acunetix run against StruxureWare Data Center Operation as well as other relevant security vulnerability information related to the product. Some of these scans might also be part of official certifications like e.g. DOD RMF IT (Former DIACAP) or FIPS140.
Vulnerability | Answer | Affects DCO | Fixed in DCO | Comments | Scanning tools |
|---|---|---|---|---|---|
| ZipSlip (CVE-2018-7806) | Data Center Operation allows for the upload of a zip file from its user interface to the server. A carefully crafted, malicious file could be mistakenly uploaded by an authenticated user via this feature which could contain path traversal file names. As such, it could allow for the arbitrary upload of files contained with the zip onto the server file system outside of the intended directory. This is leveraging the more commonly known ZipSlip vulnerability within Java code. CVSS score: 6.6. CVSS vector: AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H | All versions | 8.2.12 | ||
Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715) | Affects all versions of Linux (Centos, Red Hat, and Debian). Customers are advised to upgrade to the latest version of DCO. Red Hat users should upgrade packages. More information from Red Hat An unprivileged attacker could use this flaw to:
| All versions | 8.2.2 | Nessus | |
| Dirty COW (CVE-2016-5195) | Affects all versions of Linux (Centos, Red Hat, and Debian). Customers are advised to upgrade to the latest version of DCO. Red Hat users should upgrade packages and look for more information by following the Red Hat link. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and increase their privileges on the system. | 7.5.0, 8.0.0 and 8.0.1 | 8.0.2 | Red Hat CVE-2016-5195 | Nessus |
| BADLOCK (CVE-2016-2118) | Affects both Debian and Red Hat versions of StruxureWare Data Center Operation until and including version 7.5.0 when using Windows Networking Filesystem (smbfs), e.g., when using a Windows network share to store backups. Red Hat users should upgrade packages and look for more information by following the Red Hat link. We do not have a fix for Debian users so Debian users that use the Windows Networking Filesystem (smbfs) functionality should consider their exposure to this vulnerability and avoid using smbfs if necessary. The vulnerability will be addressed in the next release of DCO. | ≤ 7.5.0 | 8.0 | ||
| DROWN (CVE-2016-0800) | Affects both Debian and Red Hat versions of StruxureWare Data Center Operation until and including version 7.4.5. Red Hat users should upgrade packages even though they are already running the fixed version of StruxureWare Data Center Operation. The vulnerability is solved with the release of version 7.5 of StruxureWare Data Center Operation . | ≤ 7.4.5 | 7.5 | ||
| glibc buffer overflow (CVE-2015-7547) | Affects both Debian and Red Hat versions of StruxureWare Data Center Operation. | ≤ 7.5 | 8.0 | ||
| Logjam (CVE-2015-4000) | Affects disaster recovery nodes on Debian versions of StruxureWare Data Center Operation. Red Hat versions are not affected since they do not support disaster recovery nodes. | ≤ 7.5 | 8.0 | ||
| OpenSSL: alternative chains certificate forgery | Does not affects versions of StruxureWare Data Center Operation both Debian and Red Hat. | Red Hat CVE-2015-1793 | |||
| Leap Second 2015 | The vulnerability affects versions of StruxureWare Data Center Operation until and including version 7.4.5. The vulnerability is solved with the release of version 7.5 of StruxureWare Data Center Operation . | ≤ 7.4.5 | 7.5 | Upgrading TZDATA 2015 to accommodate Leap second | |
| NTP (CVE-2014-9295) | The vulnerability affects versions of StruxureWare Data Center Operation until and including version 7.4.5. The vulnerability is solved with the release of version 7.5 of StruxureWare Data Center Operation . | ≤ 7.4.5 | 7.5 | Upgrading ntp on DCO Server to Fix CVE-2014-9295 Vulnerability | |
| Ghost (CVE-2015-0235) | The vulnerability affects versions of StruxureWare Data Center Operation until and including version 7.4.5 . The vulnerability is solved with the release of version 7.5 of StruxureWare Data Center Operation . | ≤ 7.4.5 | 7.5 | Upgrading libc on DCO Server to Fix GHOST Vulnerability | |
| Heartbleed (OpenSSL) | StruxureWare Data Center Operation is not affected by the Heartbleed vulnerability. In v7.4, the openSSL component has been updated to present the latest version fixing all known vulnerabilities. | ||||
| Shellshock (CVE-2014-6271 / CVE-2014-7169) | Shellshock does not seem remotely exploitable for unprivileged users on StruxureWare Data Center Operation. We do however recommend following the guide on patching the vulnerability in the 7.4. In the 7.4.5 release of StruxureWare Data Center Operation, bash is updated to include the fix. Note about CVE-2014-7169: The original guide only covered CVE-2014-6271. The guide has been updated at 2014-09-29 05:00 UTC to cover both issues. | ≤ 7.4 | 7.4.5 | Upgrading BASH on DCO Server to Fix Shellshock Vulnerability
| |
| Poodle | The vulnerability is solved with the release of version 7.4.5 of StruxureWare Data Center Operation. | ≤ 7.4 | 7.4.5 |
