DSA-2022-002: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities
Resumen: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that may be exploited by malicious users to compromise the affected system.
Este artículo se aplica a
Este artículo no se aplica a
Este artículo no está vinculado a ningún producto específico.
No se identifican todas las versiones del producto en este artículo.
Impacto
High
Detalles
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-22561 | Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to compromised accounts. | 8.1 | CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
| CVE-2022-22549 | Dell PowerScale OneFS, 8.2.x-9.3.x, contain an Improper Certificate Validation. A unauthenticated remote attacker may potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2022-22559 | Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker may exploit this vulnerability, leading to the potential for information disclosure. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-22562 | Dell PowerScale OneFS, versions 8.2.0-9.2.1.x, contain an improper handling of missing values vulnerability. An unauthenticated network attacker may potentially exploit this denial-of-service vulnerability. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-22560 | Dell EMC PowerScale OneFS versions 8.1.x-9.2.1.x contain hard coded credentials. This may allow a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker may exploit this vulnerability to take the switch offline. | 7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
| CVE-2022-22550 | Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain a password disclosure vulnerability. An unprivileged local attacker may potentially exploit this vulnerability, leading to account takeover. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-22565 | Dell PowerScale OneFS, versions 9.0.0-9.3.0 contain an improper authorization of index containing sensitive information. An authenticated and privileged user may potentially exploit this vulnerability, leading to disclosure or modification of sensitive data. | 4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
| Third-party Component | CVEs | More information |
| GNU gettext | CVE-2018-18751 | https://nvd.nist.gov/vuln/detail/CVE-2018-18751 https://www.gnu.org/software/gettext/ |
| OpenSSL | CVE-2021-3712 | https://nvd.nist.gov/vuln/detail/CVE-2021-3712 https://www.openssl.org/news/secadv/20210824.txt |
| Apache | Multiple | https://httpd.apache.org/security/vulnerabilities_24.html |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-22561 | Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to compromised accounts. | 8.1 | CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
| CVE-2022-22549 | Dell PowerScale OneFS, 8.2.x-9.3.x, contain an Improper Certificate Validation. A unauthenticated remote attacker may potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2022-22559 | Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker may exploit this vulnerability, leading to the potential for information disclosure. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-22562 | Dell PowerScale OneFS, versions 8.2.0-9.2.1.x, contain an improper handling of missing values vulnerability. An unauthenticated network attacker may potentially exploit this denial-of-service vulnerability. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-22560 | Dell EMC PowerScale OneFS versions 8.1.x-9.2.1.x contain hard coded credentials. This may allow a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker may exploit this vulnerability to take the switch offline. | 7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
| CVE-2022-22550 | Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain a password disclosure vulnerability. An unprivileged local attacker may potentially exploit this vulnerability, leading to account takeover. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-22565 | Dell PowerScale OneFS, versions 9.0.0-9.3.0 contain an improper authorization of index containing sensitive information. An authenticated and privileged user may potentially exploit this vulnerability, leading to disclosure or modification of sensitive data. | 4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
| Third-party Component | CVEs | More information |
| GNU gettext | CVE-2018-18751 | https://nvd.nist.gov/vuln/detail/CVE-2018-18751 https://www.gnu.org/software/gettext/ |
| OpenSSL | CVE-2021-3712 | https://nvd.nist.gov/vuln/detail/CVE-2021-3712 https://www.openssl.org/news/secadv/20210824.txt |
| Apache | Multiple | https://httpd.apache.org/security/vulnerabilities_24.html |
Corrección y productos afectados
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-22561 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22549 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22559 | n/a | Upgrade your version of OneFS | |
| 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22562 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2022-22560 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2022-22550 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2018-18751 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2021-3712 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| Apache: Multiple | 8.2.x, 9.0.0.x, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22565 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-22561 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22549 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22559 | n/a | Upgrade your version of OneFS | |
| 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22562 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2022-22560 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2022-22550 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2018-18751 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2021-3712 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| Apache: Multiple | 8.2.x, 9.0.0.x, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22565 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
Historial de revisiones
| Revision | Date | Description |
| 1.0 | 2022-01-31 | Initial Release |
Información relacionada
Descargo de responsabilidad
Productos afectados
PowerScale OneFS, Product Security InformationPropiedades del artículo
Número del artículo: 000195815
Tipo de artículo: Dell Security Advisory
Última modificación: 31 ene 2022
Encuentre respuestas a sus preguntas de otros usuarios de Dell
Servicios de soporte
Compruebe si el dispositivo está cubierto por los servicios de soporte.