Article Number: 000185202
Critical
| Proprietary Code CVE(s) | Description | CVSSBase Score | CVSS Vector String |
| CVE-2021-21526 | Dell PowerScale OneFS 8.1.0 - 9.1.0 contains a privilege escalation in SmartLock compliance mode that may allow compadmin to execute arbitrary commands as root. Note: If running in Compliance Mode, this is a critical vulnerability. |
6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2020-26197 | Dell PowerScale OneFS 8.1.0 – 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider. |
7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2021-21502 | Dell PowerScale OneFS 8.1.0 – 9.1.0 contains a use of a key past its expiration date vulnerability. An expired user with ISI_PRIV_LOGIN_SSH is still able to login. Note: This has already been disclosed in DSA-2021-009, but is included here due to patches for more releases being available. |
9.8 (prior disclosure) |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Proprietary Code CVE(s) | Description | CVSSBase Score | CVSS Vector String |
| CVE-2021-21526 | Dell PowerScale OneFS 8.1.0 - 9.1.0 contains a privilege escalation in SmartLock compliance mode that may allow compadmin to execute arbitrary commands as root. Note: If running in Compliance Mode, this is a critical vulnerability. |
6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2020-26197 | Dell PowerScale OneFS 8.1.0 – 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider. |
7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2021-21502 | Dell PowerScale OneFS 8.1.0 – 9.1.0 contains a use of a key past its expiration date vulnerability. An expired user with ISI_PRIV_LOGIN_SSH is still able to login. Note: This has already been disclosed in DSA-2021-009, but is included here due to patches for more releases being available. |
9.8 (prior disclosure) |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE Addressed | Affected Version(s) | Updated Version(s) | Link to Update |
| CVE-2021-21526 | 9.0 | Upgrade your OneFS version | PowerScale Downloads Area on https://www.dell.com |
| 9.1 | March RUP_2021-03 | ||
CVE-2020-26197 |
8.1.0, 8.1.1 | Upgrade your OneFS version | |
| 8.1.2 | March RUP_2021-03 | ||
| 8.2.2 | November RUP_2020-11 | ||
CVE-2021-21502 |
8.1.0, 8.1.1, 8.2.0, 8.2.1, 9.0.0 | Upgrade your OneFS version | |
| 9.1.0 | RUP 2021-01 | ||
| 8.1.2, 8.2.2 | RUP 2021-03 |
| CVE Addressed | Affected Version(s) | Updated Version(s) | Link to Update |
| CVE-2021-21526 | 9.0 | Upgrade your OneFS version | PowerScale Downloads Area on https://www.dell.com |
| 9.1 | March RUP_2021-03 | ||
CVE-2020-26197 |
8.1.0, 8.1.1 | Upgrade your OneFS version | |
| 8.1.2 | March RUP_2021-03 | ||
| 8.2.2 | November RUP_2020-11 | ||
CVE-2021-21502 |
8.1.0, 8.1.1, 8.2.0, 8.2.1, 9.0.0 | Upgrade your OneFS version | |
| 9.1.0 | RUP 2021-01 | ||
| 8.1.2, 8.2.2 | RUP 2021-03 |
| CVE ID | Workaround(s) and Mitigation(s) |
| CVE-2021-21526 | None. |
| CVE-2020-26197 | Disable LDAP Providers. |
| CVE-2021-21502 |
Disabling public key authentication in SSH; login to your cluster with a username which has the appropriate privileges, and at the prompt, enter the following CLI commands:
# isi ssh modify --auth-settings-template=custom
# isi ssh settings modify --pubkey-authentication=false
|
| Revision | Date | Description |
| 1.0 | 2021-04-12 | Initial Release |
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
PowerScale OneFS
Product Security Information
28 Sep 2021
2
Dell Security Advisory