DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Impact

Critical

Details

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2022-34437 Dell PowerScale OneFS, versions 8.2.2-9.3.0, contain an operating system command injection vulnerability. A privileged local malicious user may potentially exploit this vulnerability, leading to a full system compromise. This issue impacts compliance mode clusters. 6.7  CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34438 Dell PowerScale OneFS, versions 8.2.x-9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privileges may potentially exploit this vulnerability, leading to full system compromise. This issue impacts compliance mode clusters. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34439 Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to denial of service and performance issue on that node. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
 
Third-party Component CVEs CVSS Vector String
Intel Platform CVE-2021-0148 Intel-SA-00535
CVE-2021-0092 Intel-SA-00527
CVE-2021-0093
CVE-2021-0099
CVE-2021-0103
CVE-2021-0107
CVE-2021-0111
CVE-2021-0114
CVE-2021-0115
CVE-2021-0116
CVE-2021-0117
CVE-2021-0118
CVE-2021-0124
CVE-2021-0125 
CVE-2021-0127 
CVE-2021-0060
CVE-2021-00147
CVE-2020-24511 Intel-SA-00463
CVE-2020-24512
CVE-2020-12357 Intel-SA-00464

 
CVE-2020-12358
CVE-2020-12360
CVE-2020-24486
CVE-2021-0144 Intel-SA-00525
CVE-2020-0591, CVE-2020-0592, CVE-2020-0593 Intel-SA-00358
CVE-2020-0587, CVE-2020-0588, CVE-2020-0590, CVE-2020-8764, CVE-2020-8738, CVE-2020-8739, CVE-2020-8740 Intel-SA-00390
CVE-2020-8705, CVE-2020-8755 Intel-SA-00391
CVE-2020-8696 Intel-SA-00381
PowerEdge CVE-2019-14553 DSA-2021-176: Dell PowerEdge Server BIOS EDK II Vulnerability
CVE-2019-14584, CVE-2021-28210, CVE-2021-28211 DSA-2022-088: Dell PowerEdge Server BIOS Security Update for Multiple Tianocore EDK2 Vulnerabilities
Cyrus SASL CVE-2022-24407 See NVD (http://nvd.nist.gov/) for individual scores for each CVE.
 
CVE-2019-19906
CVE-2013-4122
Dell SmartFabric OS10 CVE-2021-36306, CVE-2021-36307, CVE-2021-36308, CVE-2021-36310, CVE-2021-36319, CVE-2021-3711, CVE-2021-3712 DSA-2021-189: Dell SmartFabric OS10 Security Update for a Multiple Security Vulnerabilities
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2022-34437 Dell PowerScale OneFS, versions 8.2.2-9.3.0, contain an operating system command injection vulnerability. A privileged local malicious user may potentially exploit this vulnerability, leading to a full system compromise. This issue impacts compliance mode clusters. 6.7  CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34438 Dell PowerScale OneFS, versions 8.2.x-9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privileges may potentially exploit this vulnerability, leading to full system compromise. This issue impacts compliance mode clusters. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34439 Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to denial of service and performance issue on that node. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
 
Third-party Component CVEs CVSS Vector String
Intel Platform CVE-2021-0148 Intel-SA-00535
CVE-2021-0092 Intel-SA-00527
CVE-2021-0093
CVE-2021-0099
CVE-2021-0103
CVE-2021-0107
CVE-2021-0111
CVE-2021-0114
CVE-2021-0115
CVE-2021-0116
CVE-2021-0117
CVE-2021-0118
CVE-2021-0124
CVE-2021-0125 
CVE-2021-0127 
CVE-2021-0060
CVE-2021-00147
CVE-2020-24511 Intel-SA-00463
CVE-2020-24512
CVE-2020-12357 Intel-SA-00464

 
CVE-2020-12358
CVE-2020-12360
CVE-2020-24486
CVE-2021-0144 Intel-SA-00525
CVE-2020-0591, CVE-2020-0592, CVE-2020-0593 Intel-SA-00358
CVE-2020-0587, CVE-2020-0588, CVE-2020-0590, CVE-2020-8764, CVE-2020-8738, CVE-2020-8739, CVE-2020-8740 Intel-SA-00390
CVE-2020-8705, CVE-2020-8755 Intel-SA-00391
CVE-2020-8696 Intel-SA-00381
PowerEdge CVE-2019-14553 DSA-2021-176: Dell PowerEdge Server BIOS EDK II Vulnerability
CVE-2019-14584, CVE-2021-28210, CVE-2021-28211 DSA-2022-088: Dell PowerEdge Server BIOS Security Update for Multiple Tianocore EDK2 Vulnerabilities
Cyrus SASL CVE-2022-24407 See NVD (http://nvd.nist.gov/) for individual scores for each CVE.
 
CVE-2019-19906
CVE-2013-4122
Dell SmartFabric OS10 CVE-2021-36306, CVE-2021-36307, CVE-2021-36308, CVE-2021-36310, CVE-2021-36319, CVE-2021-3711, CVE-2021-3712 DSA-2021-189: Dell SmartFabric OS10 Security Update for a Multiple Security Vulnerabilities
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

Note: Out of an abundance of caution, PowerScale OneFS version 9.3.0.8 was removed while Dell investigates issues reported with the release. PowerScale OneFS has released 9.3.0.9.
 
CVEs Addressed Product Affected Versions Updated Versions Link to Update
CVE-2021-0148 F600 with Intel P4510 2TB and 4 TB ISE drives PowerScale OneFS Versions:
9.4.0.x
9.3.0.x
9.2.1.x
9.2.0.x
9.1.0.x
9.0.0.x
Drive Support Package versions before 1.42.3.		 Download and install Drive Support Package.
> = 1.42.3		 PowerScale OneFS Downloads Area























 
CVE-2021-0092 A200, A2000, A300, A3000, F200, F600, F800, F810, F900, H400, H500, H5600, H600, H700, H7000, B100, P100
 		 PowerScale OneFS Versions:
9.4.0.x
9.3.0.x
9.2.1.x
9.2.0.x
9.1.0.x
9.0.0.x
Node Firmware Package versions before 11.5.1.
 		 Download and install the latest Node Firmware Package version.
> = 11.5.1
CVE-2021-0093
CVE-2021-0099
CVE-2021-0103
CVE-2021-0107
CVE-2021-0111
CVE-2021-0114
CVE-2021-0115
CVE-2021-0116
CVE-2021-0117
CVE-2021-0118
CVE-2021-0124
CVE-2021-0125 
CVE-2021-0127 
CVE-2021-0060
CVE-2021-00147 A200, A2000, A300, A3000, F800, F810, H400, H500, H5600, H600, H700, H7000
CVE-2020-24511 A300, A3000, H700, H7000
CVE-2020-12358
CVE-2020-12360 A200, A2000, A300, A3000, F800, F810, H400, H500, H5600, H600, H700, H7000
CVE-2020-24486 A300, A3000, H700, H7000
CVE-2021-0144
 		 A200, A2000, A300, A3000, F800, F810, H400, H500, H5600, H600, H700, H7000
CVE-2020-0591 A2000, A200, H400, H500, H600, F800, F900, F200, F600, B100, and P100
CVE-2020-0592
CVE-2020-0593 A2000, A200, H400, F900, F200, F600, B100, and P100
CVE-2020-8738
CVE-2020-8739
CVE-2020-8740
CVE-2020-8764
CVE-2020-0587 F900, F200, F600, B100, and P100
CVE-2020-0588
CVE-2020-0590
CVE-2020-8705
CVE-2020-8755
CVE-2020-8696
CVE-2019-14553 B100, P100, F200, F600, F900
CVE-2019-14584
CVE-2021-28210
CVE-2021-28211
CVE-2022-24407 PowerScale OneFS 9.1.0.0 through 9.1.0.21
9.2.1.0 through 9.2.1.15
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.5		 Download and install the latest RUP.
> = 9.1.0.22
> = 9.2.1.16
> = 9.3.0.8
> = 9.4.0.6
CVE-2019-19906
CVE-2013-4122
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-34437 PowerScale OneFS 9.1.0.0 through 9.1.0.21
9.2.1.0 through 9.2.1.15
9.3.0.0 through 9.3.0.7		 Download and install the latest RUP.
> = 9.1.0.22
> = 9.2.1.16
> = 9.3.0.8
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-34438 PowerScale OneFS 9.1.0.0 through 9.1.0.22
9.2.1.0 through 9.2.1.15
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.5		 Download and install the latest RUP.
> = 9.1.0.23
> = 9.2.1.16
> = 9.3.0.8
> = 9.4.0.6
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-34439 PowerScale OneFS 9.1.0.0 through 9.1.0.22
9.2.1.0 through 9.2.1.15
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.5		 Download and install the latest RUP.
> = 9.1.0.23
> = 9.2.1.16
> = 9.3.0.8
> = 9.4.0.6
Any other version Upgrade your version of PowerScale OneFS or apply the steps that are listed in the "Workaround and Mitigations" section in the next table.
CVE-2021-36306, CVE-2021-36307, CVE-2021-36308, CVE-2021-36310, CVE-2021-36319, CVE-2021-3711, CVE-2021-3712 PowerScale OneFS with Dell Networking switch running Networking OS10 firmware.
 		 PowerScale OneFS Versions:
9.4.0.x
9.3.0.x
9.2.1.x
9.2.0.x
9.1.0.x
9.0.0.x
With DNOS version before 10.5.2.11		 10.5.2.11 SmartFabric OS10 Drivers & Downloads
Note: Out of an abundance of caution, PowerScale OneFS version 9.3.0.8 was removed while Dell investigates issues reported with the release. PowerScale OneFS has released 9.3.0.9.
 
CVEs Addressed Product Affected Versions Updated Versions Link to Update
CVE-2021-0148 F600 with Intel P4510 2TB and 4 TB ISE drives PowerScale OneFS Versions:
9.4.0.x
9.3.0.x
9.2.1.x
9.2.0.x
9.1.0.x
9.0.0.x
Drive Support Package versions before 1.42.3.		 Download and install Drive Support Package.
> = 1.42.3		 PowerScale OneFS Downloads Area























 
CVE-2021-0092 A200, A2000, A300, A3000, F200, F600, F800, F810, F900, H400, H500, H5600, H600, H700, H7000, B100, P100
 		 PowerScale OneFS Versions:
9.4.0.x
9.3.0.x
9.2.1.x
9.2.0.x
9.1.0.x
9.0.0.x
Node Firmware Package versions before 11.5.1.
 		 Download and install the latest Node Firmware Package version.
> = 11.5.1
CVE-2021-0093
CVE-2021-0099
CVE-2021-0103
CVE-2021-0107
CVE-2021-0111
CVE-2021-0114
CVE-2021-0115
CVE-2021-0116
CVE-2021-0117
CVE-2021-0118
CVE-2021-0124
CVE-2021-0125 
CVE-2021-0127 
CVE-2021-0060
CVE-2021-00147 A200, A2000, A300, A3000, F800, F810, H400, H500, H5600, H600, H700, H7000
CVE-2020-24511 A300, A3000, H700, H7000
CVE-2020-12358
CVE-2020-12360 A200, A2000, A300, A3000, F800, F810, H400, H500, H5600, H600, H700, H7000
CVE-2020-24486 A300, A3000, H700, H7000
CVE-2021-0144
 		 A200, A2000, A300, A3000, F800, F810, H400, H500, H5600, H600, H700, H7000
CVE-2020-0591 A2000, A200, H400, H500, H600, F800, F900, F200, F600, B100, and P100
CVE-2020-0592
CVE-2020-0593 A2000, A200, H400, F900, F200, F600, B100, and P100
CVE-2020-8738
CVE-2020-8739
CVE-2020-8740
CVE-2020-8764
CVE-2020-0587 F900, F200, F600, B100, and P100
CVE-2020-0588
CVE-2020-0590
CVE-2020-8705
CVE-2020-8755
CVE-2020-8696
CVE-2019-14553 B100, P100, F200, F600, F900
CVE-2019-14584
CVE-2021-28210
CVE-2021-28211
CVE-2022-24407 PowerScale OneFS 9.1.0.0 through 9.1.0.21
9.2.1.0 through 9.2.1.15
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.5		 Download and install the latest RUP.
> = 9.1.0.22
> = 9.2.1.16
> = 9.3.0.8
> = 9.4.0.6
CVE-2019-19906
CVE-2013-4122
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-34437 PowerScale OneFS 9.1.0.0 through 9.1.0.21
9.2.1.0 through 9.2.1.15
9.3.0.0 through 9.3.0.7		 Download and install the latest RUP.
> = 9.1.0.22
> = 9.2.1.16
> = 9.3.0.8
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-34438 PowerScale OneFS 9.1.0.0 through 9.1.0.22
9.2.1.0 through 9.2.1.15
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.5		 Download and install the latest RUP.
> = 9.1.0.23
> = 9.2.1.16
> = 9.3.0.8
> = 9.4.0.6
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-34439 PowerScale OneFS 9.1.0.0 through 9.1.0.22
9.2.1.0 through 9.2.1.15
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.5		 Download and install the latest RUP.
> = 9.1.0.23
> = 9.2.1.16
> = 9.3.0.8
> = 9.4.0.6
Any other version Upgrade your version of PowerScale OneFS or apply the steps that are listed in the "Workaround and Mitigations" section in the next table.
CVE-2021-36306, CVE-2021-36307, CVE-2021-36308, CVE-2021-36310, CVE-2021-36319, CVE-2021-3711, CVE-2021-3712 PowerScale OneFS with Dell Networking switch running Networking OS10 firmware.
 		 PowerScale OneFS Versions:
9.4.0.x
9.3.0.x
9.2.1.x
9.2.0.x
9.1.0.x
9.0.0.x
With DNOS version before 10.5.2.11		 10.5.2.11 SmartFabric OS10 Drivers & Downloads

Workarounds & Mitigations

CVE  Workarounds
CVE-2022-34439 This vulnerability only applies to:

Ethernet backend cluster with Single (nonredundant) backend configuration

Disable LBFO by issuing the command: 
if $(isi cluster internal-networks view | grep -q "Failover Status: disabled" ) && $(isi cluster internal-networks view | grep -q "Fabric: Ethernet"); then echo; echo "Disabling service, please re-enable after upgrade to fixed version" ; isi services isi_lbfo_d disable ; else echo; echo "Not impacted" ; fi

After the patch is applied or upgrades to a version with the issue resolved, revert this mitigation with the command: 
#isi services isi_lbfo_d enable
Note: This is required before future configurations using redundant backend interfaces.

Revision History

RevisionDateDescription
1.02022-10-13Initial Release
1.12022-10-24Updated Affected Versions and Remediation section
Corrected a typographical error in Workaround and Mitigation Section
1.22022-11-7
  • Updated applicable sections with information for additional CVEs
  • Corrected affected versions for CVE-2022-34439
  • Added note on PowerScale OneFS version 9.3.0.8.
1.32022-11-15Updated applicable sections with information for additional CVEs (CVE-2021-36306, CVE-2021-36307, CVE-2021-36308, CVE-2021-36310, CVE-2021-36319, CVE-2021-3711, and CVE-2021-3712)
1.42023-02-02Updated the wordings in Workarounds and Mitigation section for CVE-2022-34439

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Disclaimer

Affected Products

Isilon A200, Isilon A2000, Isilon F800, Isilon F810, Isilon H400, Isilon H500, Isilon H5600, Isilon H600, PowerScale Archive A300, PowerScale Archive A3000, PowerScale B100, PowerScale F200, PowerScale F600, PowerScale F900, PowerScale Hybrid H700 , PowerScale Hybrid H7000, PowerScale P100, Product Security Information ...

Products

PowerScale OneFS
Article Properties
Article Number: 000204053
Article Type: Dell Security Advisory
Last Modified: 02 Feb 2023
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.