DSA-2021-158: Dell PowerScale OneFS Security Update for Multiple Vulnerabilities
Сводка: Dell PowerScale OneFS remediation is available for multiple vulnerabilities that may be exploited by malicious users to compromise the affected system.
Данная статья применяется к
Данная статья не применяется к
Эта статья не привязана к какому-либо конкретному продукту.
В этой статье указаны не все версии продуктов.
Влияние
High
Подробные сведения
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-21561 | Dell PowerScale OneFS version 8.2.x - 9.1.x contains a sensitive information exposure vulnerability. This may allow a malicious user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE privileges to gain access to sensitive information in the log files. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36280 | Dell PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privileged information about the cluster. | 7.8 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Third-party Component | CVEs | More information |
| OpenSSH | Multiple | https://www.openssh.com/txt/release-8.6 This updates the version of OpenSSH to 8.6p1. |
| iDRAC | CVE-2020-5366 | KB article 177335: DSA-2020-128 iDRAC local file inclusion vulnerability. |
| CVE-2020-26198 | KB article 181088: DSA-2020-268 iDRAC reflected XSS vulnerability. |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-21561 | Dell PowerScale OneFS version 8.2.x - 9.1.x contains a sensitive information exposure vulnerability. This may allow a malicious user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE privileges to gain access to sensitive information in the log files. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36280 | Dell PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privileged information about the cluster. | 7.8 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Third-party Component | CVEs | More information |
| OpenSSH | Multiple | https://www.openssh.com/txt/release-8.6 This updates the version of OpenSSH to 8.6p1. |
| iDRAC | CVE-2020-5366 | KB article 177335: DSA-2020-128 iDRAC local file inclusion vulnerability. |
| CVE-2020-26198 | KB article 181088: DSA-2020-268 iDRAC reflected XSS vulnerability. |
Затронутые продукты и исправление
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| Multiple OpenSSH CVEs |
8.2.x, 9.0.0.x, 9.2.0.x | Upgrade your version of OneFS. | PowerScale OneFS Downloads Area |
| 9.1.0.x, and 9.2.1.x | Download and install the latest RUP. | ||
| CVE-2021-21561 | 9.0.0.x and 9.2.0.x | Upgrade your version of OneFS. | |
| 8.1.2, 8.2.2, and 9.1.0.x | Download and install the latest RUP. | ||
| CVE-2021-36280 | 9.0.0.x and 9.2.0.x | Upgrade your version of OneFS. | |
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP. |
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2020-5366 | F200, F600, F900 running either 9.0.0.x, 9.1.0.x, 9.2.0.0x, or 9.2.1.x. |
Download and install Node Firmware Package (NFP) 11.1.4. | PowerScale OneFS Downloads Area |
| CVE-2021-26198 | F200, F600, F900 running either 9.0.0.x, 9.1.0.x, 9.2.0.0x, or 9.2.1.x. |
Download and install Node Firmware Package (NFP) 11.1.4. |
Note: The above table may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| Multiple OpenSSH CVEs |
8.2.x, 9.0.0.x, 9.2.0.x | Upgrade your version of OneFS. | PowerScale OneFS Downloads Area |
| 9.1.0.x, and 9.2.1.x | Download and install the latest RUP. | ||
| CVE-2021-21561 | 9.0.0.x and 9.2.0.x | Upgrade your version of OneFS. | |
| 8.1.2, 8.2.2, and 9.1.0.x | Download and install the latest RUP. | ||
| CVE-2021-36280 | 9.0.0.x and 9.2.0.x | Upgrade your version of OneFS. | |
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP. |
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2020-5366 | F200, F600, F900 running either 9.0.0.x, 9.1.0.x, 9.2.0.0x, or 9.2.1.x. |
Download and install Node Firmware Package (NFP) 11.1.4. | PowerScale OneFS Downloads Area |
| CVE-2021-26198 | F200, F600, F900 running either 9.0.0.x, 9.1.0.x, 9.2.0.0x, or 9.2.1.x. |
Download and install Node Firmware Package (NFP) 11.1.4. |
Note: The above table may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
Временные решения и снижение риска
| Workarounds and Mitigations | |
| Multiple OpenSSH CVEs | none |
| CVE-2020-5366 | none |
| CVE-2021-21561 | none |
| CVE-2021-26198 | none |
| CVE-2021-36280 | Disallow ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_LOGIN_SSH privileges to non-administrative users. OR As root for clusters not in Smartlock WORM Compliance Mode, the following remediates the issue:
|
История изменений
| Revision | Date | Description |
| 1.0 | 9 Sep 2021 | Initial Release |
Связанная информация
Правовая оговорка
Затронутые продукты
PowerScale OneFS, PowerScale F200, Product Security InformationСвойства статьи
Номер статьи: 000191265
Тип статьи: Dell Security Advisory
Последнее изменение: 19 Jul 2022
Получите ответы на свои вопросы от других пользователей Dell
Услуги технической поддержки
Проверьте, распространяются ли на ваше устройство услуги технической поддержки.