This page shows results from the Nessus scan run against Data Center Expert and other relevant security vulnerability information related to the product.
Security scanners may report a warning level issue regarding SSH weak ciphers. These ciphers are enabled to maintain compatibility with certain NMC device firmware.
To get the most recent features and security fixes, update your software to the latest version.
Schneider Electric Vulnerability Management Policy
Data Center Expert relevant security vulnerabilities
Vulnerability |
Answer |
Comments |
---|---|---|
Fallout CVE-2018-12126 ZombieLoad CVE-2018-12130 |
Microarchitectural Data Sampling (MDS) security issues could let an attacker execute code or extract sensitive data that are otherwise protected by the Intel processors’ architectural mechanisms.
CVE-2018-12126 — Microarchitectural Store Buffer Data Sampling (Fallout) CVE-2018-12127 — Microarchitectural Load Port Data Sampling CVE-2018-12130 — Microarchitectural Fill Buffer Data Sampling (ZombieLoad) CVE-2019-11091 — Microarchitectural Data Sampling Uncacheable Memory |
Update DCE to v7.7.0 |
ZipSlip CVE-2018-7807 |
Data Center Expert allows for the upload of a zip file from its user interface to the server. A carefully crafted, malicious file could be mistakenly uploaded by an authenticated user via this feature which could contain path traversal file names. As such, it could allow for the arbitrary upload of files contained with the zip onto the server file system outside of the intended directory. This is leveraging the more commonly known ZipSlip vulnerability within Java code. CVSS 3.0: 6.6 Vector: AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H Affected Versions: Data Center Expert versions 7.5.0 and earlier |
Update DCE to v7.6.0 |
Meltdown CVE-2017-5754 and Spectre (CVE-2017-5753, CVE-2017-5715) |
All versions of Data Center Expert up to and including v7.4.3 are affected. Customers are advised to upgrade to the latest version of DCE when it is available. An unprivileged attacker could use this flaw to:
|
Update DCE to v7.5.0 For more information about these software vulnerabilities, see this Schneider Electric Security Notification. |
CVE-2017-7494 | Data Center Expert is not affected. | Security scanners may report this vulnerability due to the Samba-client and Samba-common packages installed on DCE. DCE does not run a Samba server, or export shared folders. |
Dirty COW (CVE-2016-5195) | All versions of Data Center Expert up to and including v7.4.1 are affected. | A fix is included in Data Center Expert v7.5.0. See APC knowledge base article ID FA300798 for additional information. |
OpenSSL (CVE-2016-2108) and related CVEs | All versions of Data Center Expert up to and including v7.3.1 are affected. | A fix available within Data Center Expert versions 7.4.0 and higher. |
GLibc |
All versions of Data Center Expert up to and including v7.3.1 are affected. |
A hot fix is available for Data Center Expert v7.3.1 ONLY. Any other version must be upgraded to v7.3.1 before this hot fix can be applied. You must call Technical Support to get the hot fix for your Data Center Expert v7.3.1 server. |
Zero Day (CVE-2016-0728) |
Data Center Expert v7.2.7 is not affected by the Zero Day vulnerability. | Data Center Expert v7.2.7 uses Linux Kernel 2.6.x, older than the 3.8 and higher kernels affected. |
Logjam (CVE-2015-4000) | Data Center Expert v7.2.7 is not affected by the Logjam vulnerability. | Data Center Expert v7.2.7 does not allow connections using any Diffie-Hellman or export grade ciphers. |
GHOST (CVE-2015-0235) |
Data Center Expert is affected. A manual update is available for DCE v7.2.6 servers only. |
You must call technical support to update your DCE v7.2.6 server. This update can be applied to DCE v7.2.6 ONLY. Earlier DCE versions must be updated to v7.2.6 before applying the update. Note: The next release of DCE will address this issue. |
Heartbleed (OpenSSL) | Data Center Expert is not affected by the Heartbleed vulnerability. | http://www2.schneider-electric.com/support/index?page=content&country=APS_GLOBAL&lang=FR&id=FA228282 |
0 comments
Please sign in to leave a comment.