DSA-2022-024: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities
요약: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that may potentially be exploited by malicious users to compromise the affected system.
이 문서는 다음에 적용됩니다.
이 문서는 다음에 적용되지 않습니다.
이 문서는 특정 제품과 관련이 없습니다.
모든 제품 버전이 이 문서에 나와 있는 것은 아닙니다.
영향
Critical
세부 정보
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-24411 | Dell PowerScale OneFS 8.2.2 and later contain an elevation of privilege vulnerability. A local attacker with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE may potentially exploit this vulnerability, leading to elevation of privilege. This may potentially allow users to circumvent PowerScale Compliance Mode guarantees. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-24412 | Dell EMC PowerScale OneFS 8.2.x - 9.3.0.x contain an improper handling of value vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to denial-of-service. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-23161 | Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contain a denial-of-service vulnerability in SmartConnect. An unprivileged network attacker may potentially exploit this vulnerability, leading to denial-of-service. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-23160 | Dell PowerScale OneFS 8.2.x - 9.3.0 contain an Improper Handling of Insufficient Permissions vulnerability. An remote malicious user may potentially exploit this vulnerability, leading to gaining write permissions on read-only files. | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
| CVE-2022-23159 | Dell PowerScale OneFS 8.2.x - 9.3.0.x contain a missing release of memory after effective lifetime vulnerability. An authenticated user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_AUTH_PROVIDERS privileges may potentially exploit this vulnerability, leading to a Denial-Of-Service. This can also impact a cluster in Compliance mode. Dell recommends to update at the earliest opportunity. | 4.8 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H |
| CVE-2022-23163 | Dell PowerScale OneFS 8.2.x - 9.3.0.x contain a denial of service vulnerability. A local attacker with minimal privileges may potentially exploit this vulnerability, leading to denial of service/data unavailability. | 4.7 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-24413 | Dell PowerScale OneFS 8.2.2-9.3.x contain a time-of-check-to-time-of-use vulnerability. A local user with access to the filesystem may potentially exploit this vulnerability, leading to data loss. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
| Third-Party Component | CVE | More information |
| Apache Portable Runtime | CVE-2017-12613 | CVE-2021-35940 |
영향을 받는 제품 및 문제 해결
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-24411 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-24412 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23161 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2017-12613 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23160 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23159 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23163 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-24413 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP |
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-24411 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-24412 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23161 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2017-12613 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23160 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23159 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23163 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-24413 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP |
해결 방법 및 완화 방안
| CVEs addressed | Workaround or Mitigation |
| CVE-2022-24411 | none |
| CVE-2022-24412 | Disable netbios support if enabled (default setting: disabled):
#isi smb settings global modify --support-netbios no
#isi smb settings global view | grep NetBIOS If the service is disabled, the following output is displayed: #Support NetBIOS: No |
| CVE-2022-23161 | Configure a valid FQDN in the SmartConnect service name field for every SmartConnect subnet on the cluster: #isi network subnets modify <subnet> --sc-service-name cluster-sc.example.com |
| CVE-2017-12613 | none |
| CVE-2022-23160 | Configure SMB share permissions of any SyncIQ target directory to prevent writes. |
| CVE-2022-23159 | none |
| CVE-2022-23163 | none |
| CVE-2022-24413 | none |
개정 내역
| Revision | Date | Description |
| 1.0 | 2022-03-03 | Initial |
| 1.1 | 2022-03-04 | Corrected Impact |
관련 정보
법적 고지 사항
해당 제품
PowerScale OneFS제품
Product Security Information문서 속성
문서 번호: 000196009
문서 유형: Dell Security Advisory
마지막 수정 시간: 30 11월 2022
다른 Dell 사용자에게 질문에 대한 답변 찾기
지원 서비스
디바이스에 지원 서비스가 적용되는지 확인하십시오.