Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000201094


DSA-2022-149: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Article Content


Impact

Medium

Details
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2022-33932 Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain an unprotected primary channel vulnerability. An unauthenticated network malicious attacker may potentially exploit this vulnerability, leading to a denial of filesystem services. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-31238 Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain a process invoked with sensitive information vulnerability. A CLI user may potentially exploit this vulnerability, leading to information disclosure. 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-31239 Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, and 9.3.0.6, contain sensitive data in log files vulnerability. A privileged local user may potentially exploit this vulnerability, leading to disclosure of this sensitive data. 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-32480 Dell PowerScale OneFS, versions 9.0.0, up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain an insecure default initialization of a resource vulnerability. A remote authenticated attacker may potentially exploit this vulnerability, leading to information disclosure. 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2022-31237 Dell PowerScale OneFS, versions 9.2.0 up to and including 9.2.1.12 and 9.3.0.5 contain an improper preservation of permissions vulnerability in SyncIQ. A low privileged local attacker may potentially exploit this vulnerability, leading to limited information disclosure. 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
 
Third-party Component CVEs More information
libxml2 CVE-2021-3518
CVE-2021-3517
CVE-2021-3516
CVE-2020-7595
CVE-2019-20388
CVE-2022-23308
CVE-2020-24977
CVE-2021-3541
CVE-2021-3537
See NVD for details.
libexpat CVE-2018-20843
CVE-2019-15903
CVE-2013-0340
CVE-2022-22822
CVE-2022-22823
CVE-2022-22824
CVE-2021-45960
CVE-2022-22825
CVE-2022-22826
CVE-2022-22827
CVE-2021-46143
CVE-2022-23852
CVE-2022-23990
CVE-2022-25235
CVE-2022-25236
CVE-2022-25315
CVE-2022-25314
CVE-2022-25313
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2022-33932 Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain an unprotected primary channel vulnerability. An unauthenticated network malicious attacker may potentially exploit this vulnerability, leading to a denial of filesystem services. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-31238 Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain a process invoked with sensitive information vulnerability. A CLI user may potentially exploit this vulnerability, leading to information disclosure. 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-31239 Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, and 9.3.0.6, contain sensitive data in log files vulnerability. A privileged local user may potentially exploit this vulnerability, leading to disclosure of this sensitive data. 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-32480 Dell PowerScale OneFS, versions 9.0.0, up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain an insecure default initialization of a resource vulnerability. A remote authenticated attacker may potentially exploit this vulnerability, leading to information disclosure. 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2022-31237 Dell PowerScale OneFS, versions 9.2.0 up to and including 9.2.1.12 and 9.3.0.5 contain an improper preservation of permissions vulnerability in SyncIQ. A low privileged local attacker may potentially exploit this vulnerability, leading to limited information disclosure. 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
 
Third-party Component CVEs More information
libxml2 CVE-2021-3518
CVE-2021-3517
CVE-2021-3516
CVE-2020-7595
CVE-2019-20388
CVE-2022-23308
CVE-2020-24977
CVE-2021-3541
CVE-2021-3537
See NVD for details.
libexpat CVE-2018-20843
CVE-2019-15903
CVE-2013-0340
CVE-2022-22822
CVE-2022-22823
CVE-2022-22824
CVE-2021-45960
CVE-2022-22825
CVE-2022-22826
CVE-2022-22827
CVE-2021-46143
CVE-2022-23852
CVE-2022-23990
CVE-2022-25235
CVE-2022-25236
CVE-2022-25315
CVE-2022-25314
CVE-2022-25313
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.
Affected Products and Remediation
CVEs Addressed Product Affected Versions Updated Versions Link to Update
CVE-2022-33932 OneFS >= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.3
These versions are remediated. PowerScale OneFS Downloads Area
9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
9.4.0.0 through 9.4.0.2
Download and install the latest RUP.
9.3.0.0 through 9.3.0.6 RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.
Any other version Upgrade your version of OneFS
CVE-2022-31238 OneFS >= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.3
These versions are remediated.
9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
9.4.0.0 through 9.4.0.2
Download and install the latest RUP.
9.3.0.0 through 9.3.0.6 RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.
Any other version Upgrade your version of OneFS
CVE-2022-31239 OneFS >= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.0
These versions are remediated.
9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
Download and install the latest RUP.
9.3.0.0 through 9.3.0.6 RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.
Any other version Upgrade your version of OneFS
CVE-2022-32480 OneFS >= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.3
These versions are remediated.
9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
9.4.0.0 through 9.4.0.2
Download and install the latest RUP.
9.3.0.0 through 9.3.0.6 RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.
Any other version Upgrade your version of OneFS
CVE-2022-31237 OneFS >= 9.2.1.13
>= 9.4.0.0
These versions are remediated.
9.2.1.0 through 9.2.1.12 Download and install the latest RUP.
9.3.0.0 through 9.3.0.6 RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.
9.2.0.0 or 9.2.0.1 Upgrade your version of OneFS
CVE-2021-3518
CVE-2021-3517
CVE-2021-3516
CVE-2020-7595
CVE-2019-20388
CVE-2022-23308
CVE-2020-24977
CVE-2021-3541
CVE-2021-3537
libxml2 >= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.3
These versions are remediated.
9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
9.4.0.0 through 9.4.0.2
Download and install the latest RUP.
9.3.0.0 through 9.3.0.6 RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.
Any other version Upgrade your version of OneFS.
CVE-2018-20843
CVE-2019-15903
CVE-2013-0340
CVE-2022-22822
CVE-2022-22823
CVE-2022-22824
CVE-2021-45960
CVE-2022-22825
CVE-2022-22826
CVE-2022-22827
CVE-2021-46143
CVE-2022-23852
CVE-2022-23990
CVE-2022-25235
CVE-2022-25236
CVE-2022-25315
CVE-2022-25314
CVE-2022-25313
libexpat >= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.0
These versions are remediated.
9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
Download and install the latest RUP.
9.3.0.0 through 9.3.0.6 RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.
Any other version Upgrade your version of OneFS.
CVEs Addressed Product Affected Versions Updated Versions Link to Update
CVE-2022-33932 OneFS >= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.3
These versions are remediated. PowerScale OneFS Downloads Area
9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
9.4.0.0 through 9.4.0.2
Download and install the latest RUP.
9.3.0.0 through 9.3.0.6 RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.
Any other version Upgrade your version of OneFS
CVE-2022-31238 OneFS >= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.3
These versions are remediated.
9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
9.4.0.0 through 9.4.0.2
Download and install the latest RUP.
9.3.0.0 through 9.3.0.6 RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.
Any other version Upgrade your version of OneFS
CVE-2022-31239 OneFS >= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.0
These versions are remediated.
9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
Download and install the latest RUP.
9.3.0.0 through 9.3.0.6 RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.
Any other version Upgrade your version of OneFS
CVE-2022-32480 OneFS >= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.3
These versions are remediated.
9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
9.4.0.0 through 9.4.0.2
Download and install the latest RUP.
9.3.0.0 through 9.3.0.6 RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.
Any other version Upgrade your version of OneFS
CVE-2022-31237 OneFS >= 9.2.1.13
>= 9.4.0.0
These versions are remediated.
9.2.1.0 through 9.2.1.12 Download and install the latest RUP.
9.3.0.0 through 9.3.0.6 RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.
9.2.0.0 or 9.2.0.1 Upgrade your version of OneFS
CVE-2021-3518
CVE-2021-3517
CVE-2021-3516
CVE-2020-7595
CVE-2019-20388
CVE-2022-23308
CVE-2020-24977
CVE-2021-3541
CVE-2021-3537
libxml2 >= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.3
These versions are remediated.
9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
9.4.0.0 through 9.4.0.2
Download and install the latest RUP.
9.3.0.0 through 9.3.0.6 RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.
Any other version Upgrade your version of OneFS.
CVE-2018-20843
CVE-2019-15903
CVE-2013-0340
CVE-2022-22822
CVE-2022-22823
CVE-2022-22824
CVE-2021-45960
CVE-2022-22825
CVE-2022-22826
CVE-2022-22827
CVE-2021-46143
CVE-2022-23852
CVE-2022-23990
CVE-2022-25235
CVE-2022-25236
CVE-2022-25315
CVE-2022-25314
CVE-2022-25313
libexpat >= 9.1.0.20
>= 9.2.1.13
>= 9.4.0.0
These versions are remediated.
9.1.0.0 through 9.1.0.19
9.2.1.0 through 9.2.1.12
Download and install the latest RUP.
9.3.0.0 through 9.3.0.6 RUP expected in July. If a fix is needed sooner, upgrade your version of OneFS.
Any other version Upgrade your version of OneFS.
Workarounds and Mitigations

CVE Additional Mitigation
CVE-2022-31238
CVE-2022-31239
Dell does not recommend using FTP to upload diagnostic information. For information on a secure solution to upload diagnostic information, see the "SRS Summary" section in the PowerScale OneFS Web or CLI administration guides.
CVE-2022-32480 Disable all unnecessary services for unneeded protocols by following the recommendations in the OneFS Security Configuration Guide.
CVE-2022-31237 Ensure filesystem permissions on parent directories containing SyncIQ datasets are set securely.

Revision History

RevisionDateDescription
1.02022-06-30Initial release

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide


Article Properties


Affected Product

PowerScale OneFS, Product Security Information

Last Published Date

30 Nov 2022

Version

4

Article Type

Dell Security Advisory