CVE Vulnerabilities

CVE-2022-34381

Reliance on Component That is Not Updateable

Published: Feb 02, 2024 | Modified: Nov 21, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

Dell BSAFE SSL-J version 7.0 and all versions prior to 6.5, and Dell BSAFE Crypto-J versions prior to 6.2.6.1 contain an unmaintained third-party component vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to the compromise of the impacted system. This is a Critical vulnerability and Dell recommends customers to upgrade at the earliest opportunity.

Weakness

The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.

Affected Software

Name Vendor Start Version End Version
Bsafe_ssl-j Dell * 6.5 (excluding)
Bsafe_ssl-j Dell 7.0 (including) 7.0 (including)

Extended Description

		  If the component is discovered to contain a vulnerability or critical bug, but the issue cannot be fixed using an update or patch, then the product's owner will not be able to protect against the issue.  The only option might be replacement of the product, which could be too financially or operationally expensive for the product owner.  As a result, the inability to patch or update can leave the product open to attacker exploitation or critical operation failures. This weakness can be especially difficult to manage when using ROM, firmware, or similar components that traditionally have had limited or no update capabilities.
		  

		    In industries such as healthcare, "legacy"
		    devices can be operated for decades.  As a
		    US task force report [REF-1197] notes, "the inability
		    to update or replace equipment has both
		    large and small health care delivery
		    organizations struggle with numerous
		    unsupported legacy systems that cannot
		    easily be replaced (hardware, software, and
		    operating systems) with large numbers of
		    vulnerabilities and few modern
		    countermeasures."
		    

		    While hardware can be prone to this weakness, software systems can also be affected, such as when a third-party driver or library is no longer actively maintained or supported but is still critical for the required functionality.

Potential Mitigations

References