DSA-2024-028: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Impact

High

Details

Third-Party Component CVEs More information
Python CVE-2022-48566 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
Python CVE-2022-48560, CVE-2023-41105, CVE-2022-48564, CVE-2023-40217, CVE-2022-45061 See NVD link below for individual scores for each CVE. 
http://nvd.nist.gov/ This hyperlink is taking you to a website outside of Dell Technologies.
GNU Screen CVE-2023-24626, CVE-2015-6806, CVE-2009-1214, CVE-2009-1215 See NVD link below for individual scores for each CVE. 
http://nvd.nist.gov/ This hyperlink is taking you to a website outside of Dell Technologies.
Curl CVE-2023-38545, CVE-2023-38546 See NVD link below for individual scores for each CVE. 
http://nvd.nist.gov/ This hyperlink is taking you to a website outside of Dell Technologies.
OpenSSL CVE-2023-3446 https://nvd.nist.gov/vuln/detail/CVE-2023-3446 This hyperlink is taking you to a website outside of Dell Technologies.
python-certifi CVE-2023-37920 https://nvd.nist.gov/vuln/detail/CVE-2023-37920 This hyperlink is taking you to a website outside of Dell Technologies.

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-22449 Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged local malicious user could potentially exploit this vulnerability to gain elevated access. 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-22430  Dell PowerScale OneFS versions 8.2.x through 9.6.0.x contains an incorrect default permissions vulnerability. A local low privileges malicious user could potentially exploit this vulnerability, leading to denial of service. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H This hyperlink is taking you to a website outside of Dell Technologies.
 
 
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-22449 Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged local malicious user could potentially exploit this vulnerability to gain elevated access. 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-22430  Dell PowerScale OneFS versions 8.2.x through 9.6.0.x contains an incorrect default permissions vulnerability. A local low privileges malicious user could potentially exploit this vulnerability, leading to denial of service. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H This hyperlink is taking you to a website outside of Dell Technologies.
 
 
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

CVEs Addressed Product Affected Version Remediated Version Link
CVE-2023-24626, CVE-2015-6806, CVE-2009-1214, CVE-2009-1215, CVE-2024-22430, CVE-2023-3446, CVE-2023-37920  PowerScale OneFS Versions 8.2.0 through 8.2.2 Version 9.5.0.7 or later PowerScale OneFS Downloads Area
CVE-2024-22449, CVE-2024-22430, CVE-2023-38545, CVE-2023-38546, CVE-2023-3446, CVE-2023-24626, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214 PowerScale OneFS Versions 9.0.0.0 through 9.4.0.0 Version 9.5.0.7 or later PowerScale OneFS Downloads Area
CVE-2024-22449, CVE-2024-22430, CVE-2023-41105, CVE-2023-40217, CVE-2023-38546, CVE-2023-38545, CVE-2023-3446, CVE-2023-24626, CVE-2023-37920, CVE-2022-48566, CVE-2022-48564, CVE-2022-48560, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214, CVE-2022-45061 PowerScale OneFS Versions 9.5.0.0 through 9.5.0.6 Version 9.5.0.7 or later, Version 9.7.0.0 or later PowerScale OneFS Downloads Area
CVE-2024-22449, CVE-2024-22430, CVE-2023-41105, CVE-2023-40217, CVE-2023-38546, CVE-2023-38545, CVE-2023-3446, CVE-2023-24626, CVE-2023-37920, CVE-2022-48566, CVE-2022-48564, CVE-2022-48560, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214 PowerScale OneFS Version 9.6.1.0 Version 9.7.0.0 or later PowerScale OneFS Downloads Area
CVEs Addressed Product Affected Version Remediated Version Link
CVE-2023-24626, CVE-2015-6806, CVE-2009-1214, CVE-2009-1215, CVE-2024-22430, CVE-2023-3446, CVE-2023-37920  PowerScale OneFS Versions 8.2.0 through 8.2.2 Version 9.5.0.7 or later PowerScale OneFS Downloads Area
CVE-2024-22449, CVE-2024-22430, CVE-2023-38545, CVE-2023-38546, CVE-2023-3446, CVE-2023-24626, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214 PowerScale OneFS Versions 9.0.0.0 through 9.4.0.0 Version 9.5.0.7 or later PowerScale OneFS Downloads Area
CVE-2024-22449, CVE-2024-22430, CVE-2023-41105, CVE-2023-40217, CVE-2023-38546, CVE-2023-38545, CVE-2023-3446, CVE-2023-24626, CVE-2023-37920, CVE-2022-48566, CVE-2022-48564, CVE-2022-48560, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214, CVE-2022-45061 PowerScale OneFS Versions 9.5.0.0 through 9.5.0.6 Version 9.5.0.7 or later, Version 9.7.0.0 or later PowerScale OneFS Downloads Area
CVE-2024-22449, CVE-2024-22430, CVE-2023-41105, CVE-2023-40217, CVE-2023-38546, CVE-2023-38545, CVE-2023-3446, CVE-2023-24626, CVE-2023-37920, CVE-2022-48566, CVE-2022-48564, CVE-2022-48560, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214 PowerScale OneFS Version 9.6.1.0 Version 9.7.0.0 or later PowerScale OneFS Downloads Area

Workarounds & Mitigations

CVE Workaround and Mitigation
CVE-2024-22430 This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users.
This vulnerability can be mitigated on new version of PowerScale OneFS i.e. 9.5 or later by enabling the restricted shell for users. 
More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub
The following workaround is only applicable to a non-compliance mode cluster.
If there are users with restricted shell is not enabled, then root user should restrict the permissions for isi_upgrade_force and isi_upgrade_message on every node as follows:
#chmod 500 /usr/sbin/isi_upgrade_force
#chmod 500 /usr/sbin/isi_upgrade_message
Or execute below command on any one node:
#isi_for_array chmod 500 /usr/sbin/isi_upgrade_force
#isi_for_array chmod 500 /usr/sbin/isi_upgrade_message
CVE-2024-22449 This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users.
This vulnerability can be mitigated on new version of PowerScale OneFS i.e. 9.5 or later by enabling the restricted shell for users.
More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub

Revision History

RevisionDateDescription
1.02024-02-01Initial Release

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Disclaimer

Affected Products

PowerScale OneFS
Article Properties
Article Number: 000221707
Article Type: Dell Security Advisory
Last Modified: 19 Sep 2025
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.