DSA-2026-047: Security update for Dell ECS and ObjectScale Multiple Vulnerabilities
Shrnutí: Dell ECS and ObjectScale remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Tento článek se vztahuje na
Tento článek se nevztahuje na
Tento článek není vázán na žádný konkrétní produkt.
V tomto článku nejsou uvedeny všechny verze produktu.
Vliv
Critical
Podrobnosti
| Third-party Component | CVEs | More Information |
| Apache Commons IO | CVE-2024-47554 | https://nvd.nist.gov/vuln/search |
| jackson-core | CVE-2025-52999 | https://nvd.nist.gov/vuln/search |
| kernel-default | CVE-2022-50482, CVE-2022-50497 | https://nvd.nist.gov/vuln/search |
| net/netip | CVE-2024-24790 | https://nvd.nist.gov/vuln/search |
| XStream | CVE-2024-47072 | https://nvd.nist.gov/vuln/search |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2026-22273 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Use of Default Credentials vulnerability in the OS. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2026-22271 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information exposure. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2026-22274 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could potentially exploit this vulnerability to intercept and modify information in transit. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2026-22276 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2026-22275 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Inclusion of Sensitive Information in Source Code vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2026-22273 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Use of Default Credentials vulnerability in the OS. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2026-22271 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information exposure. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2026-22274 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could potentially exploit this vulnerability to intercept and modify information in transit. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2026-22276 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2026-22275 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Inclusion of Sensitive Information in Source Code vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Dotčené produkty a náprava
| Product | Affected Versions | Remediated Versions | Link |
| Elastic Cloud Storage (ECS) | Versions 3.8.1.0 through 3.8.1.7 | Version 4.2.0.0 or later | Open a Service Request for an Operating Environment Upgrade and Quote DSA-2026-047 |
| ObjectScale | Versions prior to 4.2.0.0 | Version 4.2.0.0 or later | Open a Service Request for an Operating Environment Upgrade and Quote DSA-2026-047 |
| Product | Affected Versions | Remediated Versions | Link |
| Elastic Cloud Storage (ECS) | Versions 3.8.1.0 through 3.8.1.7 | Version 4.2.0.0 or later | Open a Service Request for an Operating Environment Upgrade and Quote DSA-2026-047 |
| ObjectScale | Versions prior to 4.2.0.0 | Version 4.2.0.0 or later | Open a Service Request for an Operating Environment Upgrade and Quote DSA-2026-047 |
Note:
-
To remediate vulnerabilities, customers running supported affected versions of ECS must upgrade to the latest ObjectScale release 4.2.0.0.
- Dell recommends all customers have their ObjectScale systems upgraded at the earliest opportunity by opening an “Operating Environment Upgrade” Service Request.
- Please visit the Security Update Release Schedule for Supported Versions of ObjectScale (formerly ECS) for more information.
Zástupná řešení a opatření pro zmírnění rizik
| CVE ID | Workaround and Mitigation |
| CVE-2026-22273 | To mitigate this vulnerability, customers on all supported ECS or Objectscale versions, still using default credentials, can apply the password change procedure documented as a 'NOTE' under the ‘Default Node Users’ table in the Dell ObjectScale 4.2.0.0 Security Configuration Guide, without performing an upgrade. |
| CVE-2026-22271 |
To remediate this vulnerability, starting with ObjectScale version 4.2.0.0, the system automatically disables CAS unless it detects active usage. To mitigate this vulnerability, customers who have not upgraded to ObjectScale version 4.2.0.0 yet or are actively using CAS in their setup should refer to the ‘Securing the CAS Protocol’ section in the Dell ObjectScale 4.2.0.0 Security Configuration Guide and apply the recommended steps. |
Historie změn
| Revision | Date | Description |
| 1.0 | 2026-01-16 | Initial Release |
| 2.0 | 2026-01-20 | Minor Update: Aligned CVE-2026-22271 and CVE-2026-22273 mitigations with their descriptions |
| 3.0 | 2026-05-11 | Major Update: Added kernel related CVE-2022-50482 and CVE-2022-50497 |
Související informace
Právní upozornění
Dotčené produkty
ECS, ObjectScale, ECS Appliance, ECS Appliance Hardware Series, ECS Appliance Software with Encryption, ECS Appliance Software without Encryption, ObjectScale Software with Encryption, ObjectScale Software without Encryption
, ObjectScale Appliance Series, ObjectScale Software Series
...
Vlastnosti článku
Číslo článku: 000415880
Typ článku: Dell Security Advisory
Poslední úprava: 10 kvě 2026
Najděte odpovědi na své otázky od ostatních uživatelů společnosti Dell
Služby podpory
Zkontrolujte, zda se na vaše zařízení vztahují služby podpory.