DSA-2021-180: Dell PowerScale OneFS Security Update for Multiple Vulnerabilities.
Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
Medium
Details
| Proprietary Code CVE | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-36305 | Dell PowerScale OneFS contains an Unsynchronized Access to Shared Data in a Multithreaded Context in SMB CA handling. An authenticated user of SMB on a cluster with CA may potentially exploit this vulnerability, leading to a denial of service over SMB. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Third-party Component | CVE | More information |
| FreeBSD | CVE-2021-29626 | https://nvd.nist.gov/vuln/detail/CVE-2021-29626 In OneFS, a copy-on-write logic failed to invalidate shared memory page mappings between multiple processes which amy allow an unprivileged process to maintain a mapping after it is freed, allowing the process to read private data belonging to other processes or the kernel. |
| Proprietary Code CVE | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-36305 | Dell PowerScale OneFS contains an Unsynchronized Access to Shared Data in a Multithreaded Context in SMB CA handling. An authenticated user of SMB on a cluster with CA may potentially exploit this vulnerability, leading to a denial of service over SMB. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Third-party Component | CVE | More information |
| FreeBSD | CVE-2021-29626 | https://nvd.nist.gov/vuln/detail/CVE-2021-29626 In OneFS, a copy-on-write logic failed to invalidate shared memory page mappings between multiple processes which amy allow an unprivileged process to maintain a mapping after it is freed, allowing the process to read private data belonging to other processes or the kernel. |
Affected Products & Remediation
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2021-36305 | 8.2.0, 8.2.1, 9.0.0.x, 9.2.0.x, and 9.1.1.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 8.2.2, 9.1.0.x , and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2021-29626 | 8.2.0, 8.2.1, 9.0.0.x, 9.2.0.x, and 9.1.1.x | Upgrade your version of OneFS | |
| 8.2.x, 9.1.0.x , and 9.2.1.x | Download and install the latest RUP |
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2021-36305 | 8.2.0, 8.2.1, 9.0.0.x, 9.2.0.x, and 9.1.1.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 8.2.2, 9.1.0.x , and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2021-29626 | 8.2.0, 8.2.1, 9.0.0.x, 9.2.0.x, and 9.1.1.x | Upgrade your version of OneFS | |
| 8.2.x, 9.1.0.x , and 9.2.1.x | Download and install the latest RUP |
Workarounds & Mitigations
| Workarounds or Mitigations | |
| CVE-2021-36305 | Disabling Continuous Availability (CA) on all SMB shares that has it enabled prevents the issue. |
| CVE-2021-29626 | Disallow ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_LOGIN_SSH privileges to non-administrative users. |
Revision History
| Revision | Date | Description |
| 1.0 | 30 Sep 2021 | Initial Release |
Related Information
Legal Disclaimer
Affected Products
PowerScale OneFS, Product Security InformationArticle Properties
Article Number: 000192046
Article Type: Dell Security Advisory
Last Modified: 15 Feb 2022
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.