Multiple vulnerabilities in Dell APEX Cloud Platform for Red Hat OpenShift
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2024-21781 CVE-2024-21829 CVE-2024-23599 CVE-2024-23984 CVE-2024-24968 CVE-2024-25565 CVE-2024-21853 CVE-2023-52340 CVE-2024-42154 |
| CWE-ID | CWE-20 CWE-362 CWE-203 CWE-371 CWE-691 CWE-1245 CWE-400 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
APEX Cloud Platform for Red Hat OpenShift Other software / Other software solutions |
| Vendor | Dell |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU97438
Risk: Low
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-21781
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in UEFI firmware. A local privileged user can gain access to sensitive information or perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsAPEX Cloud Platform for Red Hat OpenShift: before 03.03.00.00
CPE2.3 External linkshttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU97437
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-21829
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient input validation in UEFI firmware error handler. A local privileged user can execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsAPEX Cloud Platform for Red Hat OpenShift: before 03.03.00.00
CPE2.3 External linkshttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Race condition
EUVDB-ID: #VU97445
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-23599
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a race condition in Seamless Firmware Updates for some Intel reference platforms. A local user can exploit the race and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsAPEX Cloud Platform for Red Hat OpenShift: before 03.03.00.00
CPE2.3 External linkshttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Observable discrepancy
EUVDB-ID: #VU97424
Risk: Low
CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-23984
CWE-ID:
CWE-203 - Observable discrepancy
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to observable discrepancy in Running Average Power Limit (RAPL) interface. A local privileged user can gain access to potentially sensitive information.
Install update from vendor's website.
Vulnerable software versionsAPEX Cloud Platform for Red Hat OpenShift: before 03.03.00.00
CPE2.3 External linkshttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01103.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) State Issues
EUVDB-ID: #VU97423
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-24968
CWE-ID:
CWE-371 - State Issues
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service attack.
The vulnerability exists due to improper finite state machines (FSMs) in hardware logic. A local privileged user can perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsAPEX Cloud Platform for Red Hat OpenShift: before 03.03.00.00
CPE2.3 External linkshttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01097.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Insufficient Control Flow Management
EUVDB-ID: #VU100417
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-25565
CWE-ID:
CWE-691 - Insufficient Control Flow Management
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient control flow management. A local attacker can perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsAPEX Cloud Platform for Red Hat OpenShift: before 03.03.00.00
CPE2.3 External linkshttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01085.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper finite state machines in hardware logic
EUVDB-ID: #VU101936
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-21853
CWE-ID:
CWE-1245 - Improper Finite State Machines (FSMs) in Hardware Logic
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an error in hardware logic. A local unprivileged user can perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsAPEX Cloud Platform for Red Hat OpenShift: before 03.03.00.00
CPE2.3 External linkshttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01101.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Resource exhaustion
EUVDB-ID: #VU88378
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-52340
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error when processing very large ICMPv6 packets. A remote attacker can send a flood of IPv6 ICMP6 PTB messages, cause the high lock contention and increased CPU usage, leading to a denial of service.
Successful vulnerability exploitation requires a attacker to be on the local network or have a high bandwidth connection.
Install update from vendor's website.
Vulnerable software versionsAPEX Cloud Platform for Red Hat OpenShift: before 03.03.00.00
CPE2.3 External linkshttps://bugzilla.redhat.com/show_bug.cgi?id=2257979
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=af6d10345ca76670c1b7c37799f0d5576ccef277
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU95093
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-42154
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the sizeof() function in net/ipv4/tcp_metrics.c. A local user can perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsAPEX Cloud Platform for Red Hat OpenShift: before 03.03.00.00
CPE2.3 External linkshttps://git.kernel.org/stable/c/19d997b59fa1fd7a02e770ee0881c0652b9c32c9
https://git.kernel.org/stable/c/2a2e79dbe2236a1289412d2044994f7ab419b44c
https://git.kernel.org/stable/c/cdffc358717e436bb67122bb82c1a2a26e050f98
https://git.kernel.org/stable/c/ef7c428b425beeb52b894e16f1c4b629d6cebfb6
https://git.kernel.org/stable/c/31f03bb04146c1c6df6c03e9f45401f5f5a985d3
https://git.kernel.org/stable/c/8c2debdd170e395934ac0e039748576dfde14e99
https://git.kernel.org/stable/c/3d550dd5418729a6e77fe7721d27adea7152e321
https://git.kernel.org/stable/c/66be40e622e177316ae81717aa30057ba9e61dff
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
