Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products

DSA-2023-035: Dell PowerScale OneFS Security Updates for Multiple Security Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.

Impact

High

Details

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2023-25536 Dell PowerScale OneFS 9.4.0.x contains exposure of sensitive information to an unauthorized actor. A malicious authenticated local user could potentially exploit this vulnerability in certificate management, leading to a potential system takeover. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-25540 Dell PowerScale OneFS 9.4.0.x contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability to overwrite arbitrary files causing denial of service. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-23689 Dell PowerScale nodes A200, A2000, H400, H500, H600, H5600, F800, F810 integrated hardware management software contains an uncontrolled resource consumption vulnerability. This may allow an unauthenticated network host to impair integrated hardware management functionality and trigger OneFS data protection mechanism causing a denial of service. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
 
Third-party Component CVEs More Information
libxml2 CVE-2022-40304 See NVD This hyperlink is taking you to a website outside of Dell Technologies. for more details.
python38 CVE-2020-10735 See NVD This hyperlink is taking you to a website outside of Dell Technologies. for more details.
Intel Platform CVE-2021-0153
CVE-2021-0154
CVE-2021-0155
CVE-2021-0159
CVE-2021-0188
CVE-2021-0189
CVE-2021-0190
CVE-2021-33060
CVE-2021-33103
CVE-2021-33122
CVE-2021-33123
CVE-2021-33124
CVE-2022-21123
CVE-2022-21125
CVE-2022-21127
CVE-2022-21166
CVE-2022-21180
INTEL-SA-00601 This hyperlink is taking you to a website outside of Dell Technologies.
INTEL-SA-00686 This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2022-0004
CVE-2021-21131
INTEL-SA-00613 This hyperlink is taking you to a website outside of Dell Technologies.
See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.
CVE-2022-0778 See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.
Arista EOS

CVE-2021-28500

CVE-2021-28501

CVE-2021-28503

CVE-2021-28506

CVE-2021-28507

CVE-2021-28496

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies.for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

 
NOTE: All PowerScale related CVEs are addressed in the newly released PowerScale OneFS version 9.5.0.0.
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2023-25536 Dell PowerScale OneFS 9.4.0.x contains exposure of sensitive information to an unauthorized actor. A malicious authenticated local user could potentially exploit this vulnerability in certificate management, leading to a potential system takeover. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-25540 Dell PowerScale OneFS 9.4.0.x contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability to overwrite arbitrary files causing denial of service. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-23689 Dell PowerScale nodes A200, A2000, H400, H500, H600, H5600, F800, F810 integrated hardware management software contains an uncontrolled resource consumption vulnerability. This may allow an unauthenticated network host to impair integrated hardware management functionality and trigger OneFS data protection mechanism causing a denial of service. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
 
Third-party Component CVEs More Information
libxml2 CVE-2022-40304 See NVD This hyperlink is taking you to a website outside of Dell Technologies. for more details.
python38 CVE-2020-10735 See NVD This hyperlink is taking you to a website outside of Dell Technologies. for more details.
Intel Platform CVE-2021-0153
CVE-2021-0154
CVE-2021-0155
CVE-2021-0159
CVE-2021-0188
CVE-2021-0189
CVE-2021-0190
CVE-2021-33060
CVE-2021-33103
CVE-2021-33122
CVE-2021-33123
CVE-2021-33124
CVE-2022-21123
CVE-2022-21125
CVE-2022-21127
CVE-2022-21166
CVE-2022-21180
INTEL-SA-00601 This hyperlink is taking you to a website outside of Dell Technologies.
INTEL-SA-00686 This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2022-0004
CVE-2021-21131
INTEL-SA-00613 This hyperlink is taking you to a website outside of Dell Technologies.
See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.
CVE-2022-0778 See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.
Arista EOS

CVE-2021-28500

CVE-2021-28501

CVE-2021-28503

CVE-2021-28506

CVE-2021-28507

CVE-2021-28496

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies.for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

 
NOTE: All PowerScale related CVEs are addressed in the newly released PowerScale OneFS version 9.5.0.0.
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

CVE(s) Addressed Product Affected Version(s) Updated Version(s) Link to Update
CVE-2022-40304
 
PowerScale OneFS
 

9.1.0.0 through 9.1.0.27

9.2.1.0 through 9.2.1.20

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.

>= 9.1.0.28

>= 9.2.1.21

>= 9.4.0.13

>= 9.5.0.0

PowerScale OneFS Downloads Area
 

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2023-25536

PowerScale OneFS

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.

>= 9.4.0.12

CVE-2023-25540

PowerScale OneFS
 

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.

>= 9.4.0.12

 CVE-2020-10735
 
PowerScale OneFS
 

9.4.0.0 through 9.4.0.11

 

Download and install the latest RUP.

>= 9.4.0.12

CVE-2021-0153

CVE-2021-0154

CVE-2021-0155

CVE-2021-0159

CVE-2021-0188

CVE-2021-0189

CVE-2021-0190

CVE-2021-33060

CVE-2021-33103

CVE-2021-33122

CVE-2021-33123

CVE-2021-33124

CVE-2022-21123

CVE-2022-21125

CVE-2022-21127

CVE-2022-21166

CVE-2022-21180

A200

A2000

F800

F810

H400

H500

H600

H5600

9.5.0.x

9.4.0.x

9.3.0.x 

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

 

Download and install the latest NFP version >= 11.6.1

 

 

 

 

CVE-2022-0004

CVE-2021-21131

A300

A3000

H700

H7000

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

 

CVE-2022-0778

A300

A3000

H700

H7000

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

CVE-2023-23689

A200

A2000

H400

H500

H600

H5600

F800

F810

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

 

CVE-2021-28500

CVE-2021-28501

CVE-2021-28503

CVE-2021-28506

CVE-2021-28507

CVE-2021-28496

PowerScale OneFS with Arista Switch Series DCS-7304 and DCS-7308

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

Download and install Arista EOS >=4.28.3

Note: All PowerScale related CVEs are addressed in the newly released PowerScale OneFS version 9.5.0.0

CVE(s) Addressed Product Affected Version(s) Updated Version(s) Link to Update
CVE-2022-40304
 
PowerScale OneFS
 

9.1.0.0 through 9.1.0.27

9.2.1.0 through 9.2.1.20

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.

>= 9.1.0.28

>= 9.2.1.21

>= 9.4.0.13

>= 9.5.0.0

PowerScale OneFS Downloads Area
 

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2023-25536

PowerScale OneFS

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.

>= 9.4.0.12

CVE-2023-25540

PowerScale OneFS
 

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.

>= 9.4.0.12

 CVE-2020-10735
 
PowerScale OneFS
 

9.4.0.0 through 9.4.0.11

 

Download and install the latest RUP.

>= 9.4.0.12

CVE-2021-0153

CVE-2021-0154

CVE-2021-0155

CVE-2021-0159

CVE-2021-0188

CVE-2021-0189

CVE-2021-0190

CVE-2021-33060

CVE-2021-33103

CVE-2021-33122

CVE-2021-33123

CVE-2021-33124

CVE-2022-21123

CVE-2022-21125

CVE-2022-21127

CVE-2022-21166

CVE-2022-21180

A200

A2000

F800

F810

H400

H500

H600

H5600

9.5.0.x

9.4.0.x

9.3.0.x 

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

 

Download and install the latest NFP version >= 11.6.1

 

 

 

 

CVE-2022-0004

CVE-2021-21131

A300

A3000

H700

H7000

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

 

CVE-2022-0778

A300

A3000

H700

H7000

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

CVE-2023-23689

A200

A2000

H400

H500

H600

H5600

F800

F810

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

 

CVE-2021-28500

CVE-2021-28501

CVE-2021-28503

CVE-2021-28506

CVE-2021-28507

CVE-2021-28496

PowerScale OneFS with Arista Switch Series DCS-7304 and DCS-7308

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

Download and install Arista EOS >=4.28.3

Note: All PowerScale related CVEs are addressed in the newly released PowerScale OneFS version 9.5.0.0

Workarounds & Mitigations

CVEs Workarounds
CVE-2023-25540 Manually set the permissions of /ifs/.ifsvar/modules/security_check to 755.
#chmod 755 /ifs/.ifsvar/modules/security_check
CVE-2023-25536 Manually remove the self-signed certificates on cluster nodes.
#isi_for_array "test -e /etc/ssl/certs/4a7a8630.0 && rm -f /etc/ssl/certs/4a7a8630.0 || exit 0"

Revision History

RevisionDateDescription
1.02023-02-28 Initial release
1.12023-03-02Added CVE-2023-25536 and updated Workaround and Mitigation section.
1.22023-05-17Added Arista EOS CVEs

Related Information

Affected Products

PowerScale OneFS, PowerScale Archive A300, PowerScale Archive A3000, PowerScale Hybrid H700, PowerScale Hybrid H7000, Product Security Information
Article Properties
Article Number: 000209895
Article Type: Dell Security Advisory
Last Modified: 01 Mar 2024
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.