Article Number: 000201094
DSA-2022-149: Dell PowerScale OneFS Security Update for Multiple Vulnerabilities
Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
Article Content
Impact
Medium
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-33932 | Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2 contain an unprotected primary channel vulnerability. An unauthenticated network malicious attacker may potentially exploit this vulnerability, leading to a denial of file system services. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVE-2022-31238 | Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2 contain a process invoked with sensitive information vulnerability. A CLI user may potentially exploit this vulnerability, leading to information disclosure. | 4.7 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-31239 | Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, and 9.3.0.6 contain sensitive data in log files vulnerability. A privileged local user may potentially exploit this vulnerability, leading to disclosure of this sensitive data. | 4.7 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-32480 | Dell PowerScale OneFS, versions 9.0.0, up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2 contain an insecure default initialization of a resource vulnerability. A remote authenticated attacker may potentially exploit this vulnerability, leading to information disclosure. | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CVE-2022-31237 | Dell PowerScale OneFS, versions 9.2.0 up to and including 9.2.1.12 and 9.3.0.5 contain an improper preservation of permissions vulnerability in SyncIQ. A low privileged local attacker may potentially exploit this vulnerability, leading to limited information disclosure. | 3.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Third-party Component | CVEs | More information |
| libxml2 | CVE-2021-3518 CVE-2021-3517 CVE-2021-3516 CVE-2020-7595 CVE-2019-20388 CVE-2022-23308 CVE-2020-24977 CVE-2021-3541 CVE-2021-3537 |
Search NVD  for details. |
| libexpat | CVE-2018-20843 CVE-2019-15903 CVE-2013-0340 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2021-45960 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2021-46143 CVE-2022-23852 CVE-2022-23990 CVE-2022-25235 CVE-2022-25236 CVE-2022-25315 CVE-2022-25314 CVE-2022-25313 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-33932 | Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2 contain an unprotected primary channel vulnerability. An unauthenticated network malicious attacker may potentially exploit this vulnerability, leading to a denial of file system services. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVE-2022-31238 | Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2 contain a process invoked with sensitive information vulnerability. A CLI user may potentially exploit this vulnerability, leading to information disclosure. | 4.7 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-31239 | Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, and 9.3.0.6 contain sensitive data in log files vulnerability. A privileged local user may potentially exploit this vulnerability, leading to disclosure of this sensitive data. | 4.7 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-32480 | Dell PowerScale OneFS, versions 9.0.0, up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2 contain an insecure default initialization of a resource vulnerability. A remote authenticated attacker may potentially exploit this vulnerability, leading to information disclosure. | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CVE-2022-31237 | Dell PowerScale OneFS, versions 9.2.0 up to and including 9.2.1.12 and 9.3.0.5 contain an improper preservation of permissions vulnerability in SyncIQ. A low privileged local attacker may potentially exploit this vulnerability, leading to limited information disclosure. | 3.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Third-party Component | CVEs | More information |
| libxml2 | CVE-2021-3518 CVE-2021-3517 CVE-2021-3516 CVE-2020-7595 CVE-2019-20388 CVE-2022-23308 CVE-2020-24977 CVE-2021-3541 CVE-2021-3537 |
Search NVD for details. |
| libexpat | CVE-2018-20843 CVE-2019-15903 CVE-2013-0340 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2021-45960 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2021-46143 CVE-2022-23852 CVE-2022-23990 CVE-2022-25235 CVE-2022-25236 CVE-2022-25315 CVE-2022-25314 CVE-2022-25313 |
Affected Products and Remediation
| CVEs Addressed | Product | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-33932 | OneFS | >= 9.1.0.20 >= 9.2.1.13 >= 9.4.0.3 |
These versions are remediated. | PowerScale OneFS Downloads Area |
| 9.1.0.0 through 9.1.0.19 9.2.1.0 through 9.2.1.12 9.4.0.0 through 9.4.0.2 |
Download and install the latest RUP. | |||
| 9.3.0.0 through 9.3.0.6 | RUP is expected in July. If a fix is needed sooner, upgrade your version of OneFS. | |||
| Any other version | Upgrade your version of OneFS. | |||
| CVE-2022-31238 | OneFS | >= 9.1.0.20 >= 9.2.1.13 >= 9.4.0.3 |
These versions are remediated. | |
| 9.1.0.0 through 9.1.0.19 9.2.1.0 through 9.2.1.12 9.4.0.0 through 9.4.0.2 |
Download and install the latest RUP. | |||
| 9.3.0.0 through 9.3.0.6 | RUP is expected in July. If a fix is needed sooner, upgrade your version of OneFS. | |||
| Any other version | Upgrade your version of OneFS. | |||
| CVE-2022-31239 | OneFS | >= 9.1.0.20 >= 9.2.1.13 >= 9.4.0.0 |
These versions are remediated. | |
| 9.1.0.0 through 9.1.0.19 9.2.1.0 through 9.2.1.12 |
Download and install the latest RUP. | |||
| 9.3.0.0 through 9.3.0.6 | RUP is expected in July. If a fix is needed sooner, upgrade your version of OneFS. | |||
| Any other version | Upgrade your version of OneFS. | |||
| CVE-2022-32480 | OneFS | >= 9.1.0.20 >= 9.2.1.13 >= 9.4.0.3 |
These versions are remediated. | |
| 9.1.0.0 through 9.1.0.19 9.2.1.0 through 9.2.1.12 9.4.0.0 through 9.4.0.2 |
Download and install the latest RUP. | |||
| 9.3.0.0 through 9.3.0.6 | RUP is expected in July. If a fix is needed sooner, upgrade your version of OneFS. | |||
| Any other version | Upgrade your version of OneFS. | |||
| CVE-2022-31237 | OneFS | >= 9.2.1.13 >= 9.4.0.0 |
These versions are remediated. | |
| 9.2.1.0 through 9.2.1.12 | Download and install the latest RUP. | |||
| 9.3.0.0 through 9.3.0.6 | RUP is expected in July. If a fix is needed sooner, upgrade your version of OneFS. | |||
| 9.2.0.0 or 9.2.0.1 | Upgrade your version of OneFS. | |||
| CVE-2021-3518 CVE-2021-3517 CVE-2021-3516 CVE-2020-7595 CVE-2019-20388 CVE-2022-23308 CVE-2020-24977 CVE-2021-3541 CVE-2021-3537 |
libxml2 | >= 9.1.0.20 >= 9.2.1.13 >= 9.4.0.3 |
These versions are remediated. | |
| 9.1.0.0 through 9.1.0.19 9.2.1.0 through 9.2.1.12 9.4.0.0 through 9.4.0.2 |
Download and install the latest RUP. | |||
| 9.3.0.0 through 9.3.0.6 | RUP is expected in July. If a fix is needed sooner, upgrade your version of OneFS. | |||
| Any other version | Upgrade your version of OneFS. | |||
| CVE-2018-20843 CVE-2019-15903 CVE-2013-0340 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2021-45960 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2021-46143 CVE-2022-23852 CVE-2022-23990 CVE-2022-25235 CVE-2022-25236 CVE-2022-25315 CVE-2022-25314 CVE-2022-25313 |
libexpat | >= 9.1.0.20 >= 9.2.1.13 >= 9.4.0.0 |
These versions are remediated. | |
| 9.1.0.0 through 9.1.0.19 9.2.1.0 through 9.2.1.12 |
Download and install the latest RUP. | |||
| 9.3.0.0 through 9.3.0.6 | RUP is expected in July. If a fix is needed sooner, upgrade your version of OneFS. | |||
| Any other version | Upgrade your version of OneFS. |
| CVEs Addressed | Product | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-33932 | OneFS | >= 9.1.0.20 >= 9.2.1.13 >= 9.4.0.3 |
These versions are remediated. | PowerScale OneFS Downloads Area |
| 9.1.0.0 through 9.1.0.19 9.2.1.0 through 9.2.1.12 9.4.0.0 through 9.4.0.2 |
Download and install the latest RUP. | |||
| 9.3.0.0 through 9.3.0.6 | RUP is expected in July. If a fix is needed sooner, upgrade your version of OneFS. | |||
| Any other version | Upgrade your version of OneFS. | |||
| CVE-2022-31238 | OneFS | >= 9.1.0.20 >= 9.2.1.13 >= 9.4.0.3 |
These versions are remediated. | |
| 9.1.0.0 through 9.1.0.19 9.2.1.0 through 9.2.1.12 9.4.0.0 through 9.4.0.2 |
Download and install the latest RUP. | |||
| 9.3.0.0 through 9.3.0.6 | RUP is expected in July. If a fix is needed sooner, upgrade your version of OneFS. | |||
| Any other version | Upgrade your version of OneFS. | |||
| CVE-2022-31239 | OneFS | >= 9.1.0.20 >= 9.2.1.13 >= 9.4.0.0 |
These versions are remediated. | |
| 9.1.0.0 through 9.1.0.19 9.2.1.0 through 9.2.1.12 |
Download and install the latest RUP. | |||
| 9.3.0.0 through 9.3.0.6 | RUP is expected in July. If a fix is needed sooner, upgrade your version of OneFS. | |||
| Any other version | Upgrade your version of OneFS. | |||
| CVE-2022-32480 | OneFS | >= 9.1.0.20 >= 9.2.1.13 >= 9.4.0.3 |
These versions are remediated. | |
| 9.1.0.0 through 9.1.0.19 9.2.1.0 through 9.2.1.12 9.4.0.0 through 9.4.0.2 |
Download and install the latest RUP. | |||
| 9.3.0.0 through 9.3.0.6 | RUP is expected in July. If a fix is needed sooner, upgrade your version of OneFS. | |||
| Any other version | Upgrade your version of OneFS. | |||
| CVE-2022-31237 | OneFS | >= 9.2.1.13 >= 9.4.0.0 |
These versions are remediated. | |
| 9.2.1.0 through 9.2.1.12 | Download and install the latest RUP. | |||
| 9.3.0.0 through 9.3.0.6 | RUP is expected in July. If a fix is needed sooner, upgrade your version of OneFS. | |||
| 9.2.0.0 or 9.2.0.1 | Upgrade your version of OneFS. | |||
| CVE-2021-3518 CVE-2021-3517 CVE-2021-3516 CVE-2020-7595 CVE-2019-20388 CVE-2022-23308 CVE-2020-24977 CVE-2021-3541 CVE-2021-3537 |
libxml2 | >= 9.1.0.20 >= 9.2.1.13 >= 9.4.0.3 |
These versions are remediated. | |
| 9.1.0.0 through 9.1.0.19 9.2.1.0 through 9.2.1.12 9.4.0.0 through 9.4.0.2 |
Download and install the latest RUP. | |||
| 9.3.0.0 through 9.3.0.6 | RUP is expected in July. If a fix is needed sooner, upgrade your version of OneFS. | |||
| Any other version | Upgrade your version of OneFS. | |||
| CVE-2018-20843 CVE-2019-15903 CVE-2013-0340 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2021-45960 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2021-46143 CVE-2022-23852 CVE-2022-23990 CVE-2022-25235 CVE-2022-25236 CVE-2022-25315 CVE-2022-25314 CVE-2022-25313 |
libexpat | >= 9.1.0.20 >= 9.2.1.13 >= 9.4.0.0 |
These versions are remediated. | |
| 9.1.0.0 through 9.1.0.19 9.2.1.0 through 9.2.1.12 |
Download and install the latest RUP. | |||
| 9.3.0.0 through 9.3.0.6 | RUP is expected in July. If a fix is needed sooner, upgrade your version of OneFS. | |||
| Any other version | Upgrade your version of OneFS. |
Workarounds and Mitigations
| CVE | Other Mitigation |
| CVE-2022-31238 CVE-2022-31239 |
Dell does not recommend using FTP to upload diagnostic information. For information about a secure solution to upload diagnostic information, see the "SRS Summary" section in the PowerScale OneFS Web or CLI administration guides. |
| CVE-2022-32480 | Disable all unnecessary services for unneeded protocols by following the recommendations in the OneFS Security Configuration Guide. |
| CVE-2022-31237 | Ensure file system permissions on parent directories containing SyncIQ datasets are set securely. |
Revision History
| Revision | Date | Description |
| 1.0 | 2022-06-30 | Initial release |
Related Information
Legal Information
Article Properties
Affected Product
PowerScale OneFS, Product Security Information
Last Published Date
20 Jun 2023
Version
5
Article Type
Dell Security Advisory