Article Number: 000209895

DSA-2023-035: Dell PowerScale OneFS Security Updates for Multiple Security Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Article Content

Impact

High

Details

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2023-25536	Dell PowerScale OneFS 9.4.0.x contains exposure of sensitive information to an unauthorized actor. A malicious authenticated local user could potentially exploit this vulnerability in certificate management, leading to a potential system takeover.	6.7	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-25540	Dell PowerScale OneFS 9.4.0.x contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability to overwrite arbitrary files causing denial of service.	6.0	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVE-2023-23689	Dell PowerScale nodes A200, A2000, H400, H500, H600, H5600, F800, F810 integrated hardware management software contains an uncontrolled resource consumption vulnerability. This may allow an unauthenticated network host to impair integrated hardware management functionality and trigger OneFS data protection mechanism causing a denial of service.	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Third-party Component	CVEs	More Information
libxml2	CVE-2022-40304	See NVD for more details.
python38	CVE-2020-10735	See NVD for more details.
Intel Platform	CVE-2021-0153 CVE-2021-0154 CVE-2021-0155 CVE-2021-0159 CVE-2021-0188 CVE-2021-0189 CVE-2021-0190 CVE-2021-33060 CVE-2021-33103 CVE-2021-33122 CVE-2021-33123 CVE-2021-33124 CVE-2022-21123 CVE-2022-21125 CVE-2022-21127 CVE-2022-21166 CVE-2022-21180	INTEL-SA-00601 INTEL-SA-00686
	CVE-2022-0004 CVE-2021-21131	INTEL-SA-00613 See NVD for details.
	CVE-2022-0778	See NVD for details.
Arista EOS	CVE-2021-28500 CVE-2021-28501 CVE-2021-28503 CVE-2021-28506 CVE-2021-28507 CVE-2021-28496	See NVD for details. See NVD for details. See NVD for details. See NVD for details. See NVD for details. See NVD for details.

NOTE: All PowerScale related CVEs are addressed in the newly released PowerScale OneFS version 9.5.0.0.

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2023-25536	Dell PowerScale OneFS 9.4.0.x contains exposure of sensitive information to an unauthorized actor. A malicious authenticated local user could potentially exploit this vulnerability in certificate management, leading to a potential system takeover.	6.7	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-25540	Dell PowerScale OneFS 9.4.0.x contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability to overwrite arbitrary files causing denial of service.	6.0	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVE-2023-23689	Dell PowerScale nodes A200, A2000, H400, H500, H600, H5600, F800, F810 integrated hardware management software contains an uncontrolled resource consumption vulnerability. This may allow an unauthenticated network host to impair integrated hardware management functionality and trigger OneFS data protection mechanism causing a denial of service.	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Third-party Component	CVEs	More Information
libxml2	CVE-2022-40304	See NVD for more details.
python38	CVE-2020-10735	See NVD for more details.
Intel Platform	CVE-2021-0153 CVE-2021-0154 CVE-2021-0155 CVE-2021-0159 CVE-2021-0188 CVE-2021-0189 CVE-2021-0190 CVE-2021-33060 CVE-2021-33103 CVE-2021-33122 CVE-2021-33123 CVE-2021-33124 CVE-2022-21123 CVE-2022-21125 CVE-2022-21127 CVE-2022-21166 CVE-2022-21180	INTEL-SA-00601 INTEL-SA-00686
	CVE-2022-0004 CVE-2021-21131	INTEL-SA-00613 See NVD for details.
	CVE-2022-0778	See NVD for details.
Arista EOS	CVE-2021-28500 CVE-2021-28501 CVE-2021-28503 CVE-2021-28506 CVE-2021-28507 CVE-2021-28496	See NVD for details. See NVD for details. See NVD for details. See NVD for details. See NVD for details. See NVD for details.

NOTE: All PowerScale related CVEs are addressed in the newly released PowerScale OneFS version 9.5.0.0.

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVE(s) Addressed	Product	Affected Version(s)	Updated Version(s)	Link to Update
CVE-2022-40304	PowerScale OneFS	9.1.0.0 through 9.1.0.27 9.2.1.0 through 9.2.1.20 9.4.0.0 through 9.4.0.11	Download and install the latest RUP. >= 9.1.0.28 >= 9.2.1.21 >= 9.4.0.13 >= 9.5.0.0	PowerScale OneFS Downloads Area
CVE-2022-40304	PowerScale OneFS	Any other version	Upgrade your version of PowerScale OneFS.
CVE-2023-25536	PowerScale OneFS	9.4.0.0 through 9.4.0.11	Download and install the latest RUP. >= 9.4.0.12
CVE-2023-25540	PowerScale OneFS	9.4.0.0 through 9.4.0.11	Download and install the latest RUP. >= 9.4.0.12
CVE-2020-10735	PowerScale OneFS	9.4.0.0 through 9.4.0.11	Download and install the latest RUP. >= 9.4.0.12
CVE-2021-0153 CVE-2021-0154 CVE-2021-0155 CVE-2021-0159 CVE-2021-0188 CVE-2021-0189 CVE-2021-0190 CVE-2021-33060 CVE-2021-33103 CVE-2021-33122 CVE-2021-33123 CVE-2021-33124 CVE-2022-21123 CVE-2022-21125 CVE-2022-21127 CVE-2022-21166 CVE-2022-21180	A200 A2000 F800 F810 H400 H500 H600 H5600	9.5.0.x 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x	Download and install the latest NFP version >= 11.6.1
CVE-2022-0004 CVE-2021-21131	A300 A3000 H700 H7000	9.5.0.x 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x
CVE-2022-0778	A300 A3000 H700 H7000	9.5.0.x 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x
CVE-2023-23689	A200 A2000 H400 H500 H600 H5600 F800 F810	9.5.0.x 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x
CVE-2021-28500 CVE-2021-28501 CVE-2021-28503 CVE-2021-28506 CVE-2021-28507 CVE-2021-28496	PowerScale OneFS with Arista Switch Series DCS-7304 and DCS-7308	9.5.0.x 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x	Download and install Arista EOS >=4.28.3

Note: All PowerScale related CVEs are addressed in the newly released PowerScale OneFS version 9.5.0.0

CVE(s) Addressed	Product	Affected Version(s)	Updated Version(s)	Link to Update
CVE-2022-40304	PowerScale OneFS	9.1.0.0 through 9.1.0.27 9.2.1.0 through 9.2.1.20 9.4.0.0 through 9.4.0.11	Download and install the latest RUP. >= 9.1.0.28 >= 9.2.1.21 >= 9.4.0.13 >= 9.5.0.0	PowerScale OneFS Downloads Area
CVE-2022-40304	PowerScale OneFS	Any other version	Upgrade your version of PowerScale OneFS.
CVE-2023-25536	PowerScale OneFS	9.4.0.0 through 9.4.0.11	Download and install the latest RUP. >= 9.4.0.12
CVE-2023-25540	PowerScale OneFS	9.4.0.0 through 9.4.0.11	Download and install the latest RUP. >= 9.4.0.12
CVE-2020-10735	PowerScale OneFS	9.4.0.0 through 9.4.0.11	Download and install the latest RUP. >= 9.4.0.12
CVE-2021-0153 CVE-2021-0154 CVE-2021-0155 CVE-2021-0159 CVE-2021-0188 CVE-2021-0189 CVE-2021-0190 CVE-2021-33060 CVE-2021-33103 CVE-2021-33122 CVE-2021-33123 CVE-2021-33124 CVE-2022-21123 CVE-2022-21125 CVE-2022-21127 CVE-2022-21166 CVE-2022-21180	A200 A2000 F800 F810 H400 H500 H600 H5600	9.5.0.x 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x	Download and install the latest NFP version >= 11.6.1
CVE-2022-0004 CVE-2021-21131	A300 A3000 H700 H7000	9.5.0.x 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x
CVE-2022-0778	A300 A3000 H700 H7000	9.5.0.x 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x
CVE-2023-23689	A200 A2000 H400 H500 H600 H5600 F800 F810	9.5.0.x 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x
CVE-2021-28500 CVE-2021-28501 CVE-2021-28503 CVE-2021-28506 CVE-2021-28507 CVE-2021-28496	PowerScale OneFS with Arista Switch Series DCS-7304 and DCS-7308	9.5.0.x 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x	Download and install Arista EOS >=4.28.3

Note: All PowerScale related CVEs are addressed in the newly released PowerScale OneFS version 9.5.0.0

Workarounds and Mitigations

CVEs	Workarounds
CVE-2023-25540	Manually set the permissions of /ifs/.ifsvar/modules/security_check to 755. #chmod 755 /ifs/.ifsvar/modules/security_check
CVE-2023-25536	Manually remove the self-signed certificates on cluster nodes. #isi_for_array "test -e /etc/ssl/certs/4a7a8630.0 && rm -f /etc/ssl/certs/4a7a8630.0 \|\| exit 0"

Revision History

Revision	Date	Description
1.0	2023-02-28	Initial release
1.1	2023-03-02	Added CVE-2023-25536 and updated Workaround and Mitigation section.
1.2	2023-05-17	Added Arista EOS CVEs

Related Information

Legal Information

Article Properties

Affected Product

PowerScale OneFS, PowerScale Archive A300, PowerScale Archive A3000, PowerScale Hybrid H700, PowerScale Hybrid H7000, Product Security Information

DSA-2023-035: Dell PowerScale OneFS Security Updates for Multiple Security Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Article Content

Impact

Details

Affected Products and Remediation

Workarounds and Mitigations

Revision History

Related Information

Legal Information

Article Properties

Affected Product

Last Published Date

Version

Article Type

Welcome

Welcome to Dell

DSA-2023-035: Dell PowerScale OneFS Security Updates for Multiple Security Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Article Content

Impact

Details

Affected Products and Remediation

Workarounds and Mitigations

Revision History

Related Information

Legal Information

Article Properties

Affected Product

Last Published Date

Version

Article Type