DSA-2021-158: Dell PowerScale OneFS Security Update for Multiple Vulnerabilities
Resumen: Dell PowerScale OneFS remediation is available for multiple vulnerabilities that may be exploited by malicious users to compromise the affected system.
Este artículo se aplica a
Este artículo no se aplica a
Este artículo no está vinculado a ningún producto específico.
No se identifican todas las versiones del producto en este artículo.
Impacto
High
Detalles
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-21561 | Dell PowerScale OneFS version 8.2.x - 9.1.x contains a sensitive information exposure vulnerability. This may allow a malicious user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE privileges to gain access to sensitive information in the log files. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36280 | Dell PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privileged information about the cluster. | 7.8 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Third-party Component | CVEs | More information |
| OpenSSH | Multiple | https://www.openssh.com/txt/release-8.6 This updates the version of OpenSSH to 8.6p1. |
| iDRAC | CVE-2020-5366 | KB article 177335: DSA-2020-128 iDRAC local file inclusion vulnerability. |
| CVE-2020-26198 | KB article 181088: DSA-2020-268 iDRAC reflected XSS vulnerability. |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-21561 | Dell PowerScale OneFS version 8.2.x - 9.1.x contains a sensitive information exposure vulnerability. This may allow a malicious user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE privileges to gain access to sensitive information in the log files. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36280 | Dell PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privileged information about the cluster. | 7.8 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Third-party Component | CVEs | More information |
| OpenSSH | Multiple | https://www.openssh.com/txt/release-8.6 This updates the version of OpenSSH to 8.6p1. |
| iDRAC | CVE-2020-5366 | KB article 177335: DSA-2020-128 iDRAC local file inclusion vulnerability. |
| CVE-2020-26198 | KB article 181088: DSA-2020-268 iDRAC reflected XSS vulnerability. |
Corrección y productos afectados
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| Multiple OpenSSH CVEs |
8.2.x, 9.0.0.x, 9.2.0.x | Upgrade your version of OneFS. | PowerScale OneFS Downloads Area |
| 9.1.0.x, and 9.2.1.x | Download and install the latest RUP. | ||
| CVE-2021-21561 | 9.0.0.x and 9.2.0.x | Upgrade your version of OneFS. | |
| 8.1.2, 8.2.2, and 9.1.0.x | Download and install the latest RUP. | ||
| CVE-2021-36280 | 9.0.0.x and 9.2.0.x | Upgrade your version of OneFS. | |
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP. |
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2020-5366 | F200, F600, F900 running either 9.0.0.x, 9.1.0.x, 9.2.0.0x, or 9.2.1.x. |
Download and install Node Firmware Package (NFP) 11.1.4. | PowerScale OneFS Downloads Area |
| CVE-2021-26198 | F200, F600, F900 running either 9.0.0.x, 9.1.0.x, 9.2.0.0x, or 9.2.1.x. |
Download and install Node Firmware Package (NFP) 11.1.4. |
Note: The above table may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| Multiple OpenSSH CVEs |
8.2.x, 9.0.0.x, 9.2.0.x | Upgrade your version of OneFS. | PowerScale OneFS Downloads Area |
| 9.1.0.x, and 9.2.1.x | Download and install the latest RUP. | ||
| CVE-2021-21561 | 9.0.0.x and 9.2.0.x | Upgrade your version of OneFS. | |
| 8.1.2, 8.2.2, and 9.1.0.x | Download and install the latest RUP. | ||
| CVE-2021-36280 | 9.0.0.x and 9.2.0.x | Upgrade your version of OneFS. | |
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP. |
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2020-5366 | F200, F600, F900 running either 9.0.0.x, 9.1.0.x, 9.2.0.0x, or 9.2.1.x. |
Download and install Node Firmware Package (NFP) 11.1.4. | PowerScale OneFS Downloads Area |
| CVE-2021-26198 | F200, F600, F900 running either 9.0.0.x, 9.1.0.x, 9.2.0.0x, or 9.2.1.x. |
Download and install Node Firmware Package (NFP) 11.1.4. |
Note: The above table may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
Soluciones alternativas y mitigaciones
| Workarounds and Mitigations | |
| Multiple OpenSSH CVEs | none |
| CVE-2020-5366 | none |
| CVE-2021-21561 | none |
| CVE-2021-26198 | none |
| CVE-2021-36280 | Disallow ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_LOGIN_SSH privileges to non-administrative users. OR As root for clusters not in Smartlock WORM Compliance Mode, the following remediates the issue:
|
Historial de revisiones
| Revision | Date | Description |
| 1.0 | 9 Sep 2021 | Initial Release |
Información relacionada
Descargo de responsabilidad
Productos afectados
PowerScale OneFS, PowerScale F200, Product Security InformationPropiedades del artículo
Número del artículo: 000191265
Tipo de artículo: Dell Security Advisory
Última modificación: 19 jul 2022
Encuentre respuestas a sus preguntas de otros usuarios de Dell
Servicios de soporte
Compruebe si el dispositivo está cubierto por los servicios de soporte.