DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates
Resumen: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
Este artículo se aplica a
Este artículo no se aplica a
Este artículo no está vinculado a ningún producto específico.
No se identifican todas las versiones del producto en este artículo.
Impacto
Critical
Detalles
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-34437 | Dell PowerScale OneFS, versions 8.2.2-9.3.0, contain an operating system command injection vulnerability. A privileged local malicious user may potentially exploit this vulnerability, leading to a full system compromise. This issue impacts compliance mode clusters. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-34438 | Dell PowerScale OneFS, versions 8.2.x-9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privileges may potentially exploit this vulnerability, leading to full system compromise. This issue impacts compliance mode clusters. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-34439 | Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to denial of service and performance issue on that node. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| Third-party Component | CVEs | CVSS Vector String |
| Intel Platform | CVE-2021-0148 | Intel-SA-00535 |
| CVE-2021-0092 | Intel-SA-00527 | |
| CVE-2021-0093 | ||
| CVE-2021-0099 | ||
| CVE-2021-0103 | ||
| CVE-2021-0107 | ||
| CVE-2021-0111 | ||
| CVE-2021-0114 | ||
| CVE-2021-0115 | ||
| CVE-2021-0116 | ||
| CVE-2021-0117 | ||
| CVE-2021-0118 | ||
| CVE-2021-0124 | ||
| CVE-2021-0125 | ||
| CVE-2021-0127 | ||
| CVE-2021-0060 | ||
| CVE-2021-00147 | ||
| CVE-2020-24511 | Intel-SA-00463 | |
| CVE-2020-24512 | ||
| CVE-2020-12357 | Intel-SA-00464 |
|
| CVE-2020-12358 | ||
| CVE-2020-12360 | ||
| CVE-2020-24486 | ||
| CVE-2021-0144 | Intel-SA-00525 | |
| CVE-2020-0591, CVE-2020-0592, CVE-2020-0593 | Intel-SA-00358 | |
| CVE-2020-0587, CVE-2020-0588, CVE-2020-0590, CVE-2020-8764, CVE-2020-8738, CVE-2020-8739, CVE-2020-8740 | Intel-SA-00390 | |
| CVE-2020-8705, CVE-2020-8755 | Intel-SA-00391 | |
| CVE-2020-8696 | Intel-SA-00381 | |
| PowerEdge | CVE-2019-14553 | DSA-2021-176: Dell PowerEdge Server BIOS EDK II Vulnerability |
| CVE-2019-14584, CVE-2021-28210, CVE-2021-28211 | DSA-2022-088: Dell PowerEdge Server BIOS Security Update for Multiple Tianocore EDK2 Vulnerabilities | |
| Cyrus SASL | CVE-2022-24407 | See NVD (http://nvd.nist.gov/) for individual scores for each CVE. |
| CVE-2019-19906 | ||
| CVE-2013-4122 | ||
| Dell SmartFabric OS10 | CVE-2021-36306, CVE-2021-36307, CVE-2021-36308, CVE-2021-36310, CVE-2021-36319, CVE-2021-3711, CVE-2021-3712 | DSA-2021-189: Dell SmartFabric OS10 Security Update for a Multiple Security Vulnerabilities |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-34437 | Dell PowerScale OneFS, versions 8.2.2-9.3.0, contain an operating system command injection vulnerability. A privileged local malicious user may potentially exploit this vulnerability, leading to a full system compromise. This issue impacts compliance mode clusters. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-34438 | Dell PowerScale OneFS, versions 8.2.x-9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privileges may potentially exploit this vulnerability, leading to full system compromise. This issue impacts compliance mode clusters. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-34439 | Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to denial of service and performance issue on that node. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| Third-party Component | CVEs | CVSS Vector String |
| Intel Platform | CVE-2021-0148 | Intel-SA-00535 |
| CVE-2021-0092 | Intel-SA-00527 | |
| CVE-2021-0093 | ||
| CVE-2021-0099 | ||
| CVE-2021-0103 | ||
| CVE-2021-0107 | ||
| CVE-2021-0111 | ||
| CVE-2021-0114 | ||
| CVE-2021-0115 | ||
| CVE-2021-0116 | ||
| CVE-2021-0117 | ||
| CVE-2021-0118 | ||
| CVE-2021-0124 | ||
| CVE-2021-0125 | ||
| CVE-2021-0127 | ||
| CVE-2021-0060 | ||
| CVE-2021-00147 | ||
| CVE-2020-24511 | Intel-SA-00463 | |
| CVE-2020-24512 | ||
| CVE-2020-12357 | Intel-SA-00464 |
|
| CVE-2020-12358 | ||
| CVE-2020-12360 | ||
| CVE-2020-24486 | ||
| CVE-2021-0144 | Intel-SA-00525 | |
| CVE-2020-0591, CVE-2020-0592, CVE-2020-0593 | Intel-SA-00358 | |
| CVE-2020-0587, CVE-2020-0588, CVE-2020-0590, CVE-2020-8764, CVE-2020-8738, CVE-2020-8739, CVE-2020-8740 | Intel-SA-00390 | |
| CVE-2020-8705, CVE-2020-8755 | Intel-SA-00391 | |
| CVE-2020-8696 | Intel-SA-00381 | |
| PowerEdge | CVE-2019-14553 | DSA-2021-176: Dell PowerEdge Server BIOS EDK II Vulnerability |
| CVE-2019-14584, CVE-2021-28210, CVE-2021-28211 | DSA-2022-088: Dell PowerEdge Server BIOS Security Update for Multiple Tianocore EDK2 Vulnerabilities | |
| Cyrus SASL | CVE-2022-24407 | See NVD (http://nvd.nist.gov/) for individual scores for each CVE. |
| CVE-2019-19906 | ||
| CVE-2013-4122 | ||
| Dell SmartFabric OS10 | CVE-2021-36306, CVE-2021-36307, CVE-2021-36308, CVE-2021-36310, CVE-2021-36319, CVE-2021-3711, CVE-2021-3712 | DSA-2021-189: Dell SmartFabric OS10 Security Update for a Multiple Security Vulnerabilities |
Corrección y productos afectados
Note: Out of an abundance of caution, PowerScale OneFS version 9.3.0.8 was removed while Dell investigates issues reported with the release. PowerScale OneFS has released 9.3.0.9.
| CVEs Addressed | Product | Affected Versions | Updated Versions | Link to Update |
| CVE-2021-0148 | F600 with Intel P4510 2TB and 4 TB ISE drives | PowerScale OneFS Versions: 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x Drive Support Package versions before 1.42.3. |
Download and install Drive Support Package. > = 1.42.3 |
PowerScale OneFS Downloads Area |
| CVE-2021-0092 | A200, A2000, A300, A3000, F200, F600, F800, F810, F900, H400, H500, H5600, H600, H700, H7000, B100, P100 |
PowerScale OneFS Versions: 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x Node Firmware Package versions before 11.5.1. |
Download and install the latest Node Firmware Package version. > = 11.5.1 |
|
| CVE-2021-0093 | ||||
| CVE-2021-0099 | ||||
| CVE-2021-0103 | ||||
| CVE-2021-0107 | ||||
| CVE-2021-0111 | ||||
| CVE-2021-0114 | ||||
| CVE-2021-0115 | ||||
| CVE-2021-0116 | ||||
| CVE-2021-0117 | ||||
| CVE-2021-0118 | ||||
| CVE-2021-0124 | ||||
| CVE-2021-0125 | ||||
| CVE-2021-0127 | ||||
| CVE-2021-0060 | ||||
| CVE-2021-00147 | A200, A2000, A300, A3000, F800, F810, H400, H500, H5600, H600, H700, H7000 | |||
| CVE-2020-24511 | A300, A3000, H700, H7000 | |||
| CVE-2020-12358 | ||||
| CVE-2020-12360 | A200, A2000, A300, A3000, F800, F810, H400, H500, H5600, H600, H700, H7000 | |||
| CVE-2020-24486 | A300, A3000, H700, H7000 | |||
| CVE-2021-0144 |
A200, A2000, A300, A3000, F800, F810, H400, H500, H5600, H600, H700, H7000 | |||
| CVE-2020-0591 | A2000, A200, H400, H500, H600, F800, F900, F200, F600, B100, and P100 | |||
| CVE-2020-0592 | ||||
| CVE-2020-0593 | A2000, A200, H400, F900, F200, F600, B100, and P100 | |||
| CVE-2020-8738 | ||||
| CVE-2020-8739 | ||||
| CVE-2020-8740 | ||||
| CVE-2020-8764 | ||||
| CVE-2020-0587 | F900, F200, F600, B100, and P100 | |||
| CVE-2020-0588 | ||||
| CVE-2020-0590 | ||||
| CVE-2020-8705 | ||||
| CVE-2020-8755 | ||||
| CVE-2020-8696 | ||||
| CVE-2019-14553 | B100, P100, F200, F600, F900 | |||
| CVE-2019-14584 | ||||
| CVE-2021-28210 | ||||
| CVE-2021-28211 | ||||
| CVE-2022-24407 | PowerScale OneFS | 9.1.0.0 through 9.1.0.21 9.2.1.0 through 9.2.1.15 9.3.0.0 through 9.3.0.7 9.4.0.0 through 9.4.0.5 |
Download and install the latest RUP. > = 9.1.0.22 > = 9.2.1.16 > = 9.3.0.8 > = 9.4.0.6 |
|
| CVE-2019-19906 | ||||
| CVE-2013-4122 | ||||
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-34437 | PowerScale OneFS | 9.1.0.0 through 9.1.0.21 9.2.1.0 through 9.2.1.15 9.3.0.0 through 9.3.0.7 |
Download and install the latest RUP. > = 9.1.0.22 > = 9.2.1.16 > = 9.3.0.8 |
|
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-34438 | PowerScale OneFS | 9.1.0.0 through 9.1.0.22 9.2.1.0 through 9.2.1.15 9.3.0.0 through 9.3.0.7 9.4.0.0 through 9.4.0.5 |
Download and install the latest RUP. > = 9.1.0.23 > = 9.2.1.16 > = 9.3.0.8 > = 9.4.0.6 |
|
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-34439 | PowerScale OneFS | 9.1.0.0 through 9.1.0.22 9.2.1.0 through 9.2.1.15 9.3.0.0 through 9.3.0.7 9.4.0.0 through 9.4.0.5 |
Download and install the latest RUP. > = 9.1.0.23 > = 9.2.1.16 > = 9.3.0.8 > = 9.4.0.6 |
|
| Any other version | Upgrade your version of PowerScale OneFS or apply the steps that are listed in the "Workaround and Mitigations" section in the next table. | |||
| CVE-2021-36306, CVE-2021-36307, CVE-2021-36308, CVE-2021-36310, CVE-2021-36319, CVE-2021-3711, CVE-2021-3712 | PowerScale OneFS with Dell Networking switch running Networking OS10 firmware. |
PowerScale OneFS Versions: 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x With DNOS version before 10.5.2.11 |
10.5.2.11 | SmartFabric OS10 Drivers & Downloads |
Note: Out of an abundance of caution, PowerScale OneFS version 9.3.0.8 was removed while Dell investigates issues reported with the release. PowerScale OneFS has released 9.3.0.9.
| CVEs Addressed | Product | Affected Versions | Updated Versions | Link to Update |
| CVE-2021-0148 | F600 with Intel P4510 2TB and 4 TB ISE drives | PowerScale OneFS Versions: 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x Drive Support Package versions before 1.42.3. |
Download and install Drive Support Package. > = 1.42.3 |
PowerScale OneFS Downloads Area |
| CVE-2021-0092 | A200, A2000, A300, A3000, F200, F600, F800, F810, F900, H400, H500, H5600, H600, H700, H7000, B100, P100 |
PowerScale OneFS Versions: 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x Node Firmware Package versions before 11.5.1. |
Download and install the latest Node Firmware Package version. > = 11.5.1 |
|
| CVE-2021-0093 | ||||
| CVE-2021-0099 | ||||
| CVE-2021-0103 | ||||
| CVE-2021-0107 | ||||
| CVE-2021-0111 | ||||
| CVE-2021-0114 | ||||
| CVE-2021-0115 | ||||
| CVE-2021-0116 | ||||
| CVE-2021-0117 | ||||
| CVE-2021-0118 | ||||
| CVE-2021-0124 | ||||
| CVE-2021-0125 | ||||
| CVE-2021-0127 | ||||
| CVE-2021-0060 | ||||
| CVE-2021-00147 | A200, A2000, A300, A3000, F800, F810, H400, H500, H5600, H600, H700, H7000 | |||
| CVE-2020-24511 | A300, A3000, H700, H7000 | |||
| CVE-2020-12358 | ||||
| CVE-2020-12360 | A200, A2000, A300, A3000, F800, F810, H400, H500, H5600, H600, H700, H7000 | |||
| CVE-2020-24486 | A300, A3000, H700, H7000 | |||
| CVE-2021-0144 |
A200, A2000, A300, A3000, F800, F810, H400, H500, H5600, H600, H700, H7000 | |||
| CVE-2020-0591 | A2000, A200, H400, H500, H600, F800, F900, F200, F600, B100, and P100 | |||
| CVE-2020-0592 | ||||
| CVE-2020-0593 | A2000, A200, H400, F900, F200, F600, B100, and P100 | |||
| CVE-2020-8738 | ||||
| CVE-2020-8739 | ||||
| CVE-2020-8740 | ||||
| CVE-2020-8764 | ||||
| CVE-2020-0587 | F900, F200, F600, B100, and P100 | |||
| CVE-2020-0588 | ||||
| CVE-2020-0590 | ||||
| CVE-2020-8705 | ||||
| CVE-2020-8755 | ||||
| CVE-2020-8696 | ||||
| CVE-2019-14553 | B100, P100, F200, F600, F900 | |||
| CVE-2019-14584 | ||||
| CVE-2021-28210 | ||||
| CVE-2021-28211 | ||||
| CVE-2022-24407 | PowerScale OneFS | 9.1.0.0 through 9.1.0.21 9.2.1.0 through 9.2.1.15 9.3.0.0 through 9.3.0.7 9.4.0.0 through 9.4.0.5 |
Download and install the latest RUP. > = 9.1.0.22 > = 9.2.1.16 > = 9.3.0.8 > = 9.4.0.6 |
|
| CVE-2019-19906 | ||||
| CVE-2013-4122 | ||||
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-34437 | PowerScale OneFS | 9.1.0.0 through 9.1.0.21 9.2.1.0 through 9.2.1.15 9.3.0.0 through 9.3.0.7 |
Download and install the latest RUP. > = 9.1.0.22 > = 9.2.1.16 > = 9.3.0.8 |
|
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-34438 | PowerScale OneFS | 9.1.0.0 through 9.1.0.22 9.2.1.0 through 9.2.1.15 9.3.0.0 through 9.3.0.7 9.4.0.0 through 9.4.0.5 |
Download and install the latest RUP. > = 9.1.0.23 > = 9.2.1.16 > = 9.3.0.8 > = 9.4.0.6 |
|
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-34439 | PowerScale OneFS | 9.1.0.0 through 9.1.0.22 9.2.1.0 through 9.2.1.15 9.3.0.0 through 9.3.0.7 9.4.0.0 through 9.4.0.5 |
Download and install the latest RUP. > = 9.1.0.23 > = 9.2.1.16 > = 9.3.0.8 > = 9.4.0.6 |
|
| Any other version | Upgrade your version of PowerScale OneFS or apply the steps that are listed in the "Workaround and Mitigations" section in the next table. | |||
| CVE-2021-36306, CVE-2021-36307, CVE-2021-36308, CVE-2021-36310, CVE-2021-36319, CVE-2021-3711, CVE-2021-3712 | PowerScale OneFS with Dell Networking switch running Networking OS10 firmware. |
PowerScale OneFS Versions: 9.4.0.x 9.3.0.x 9.2.1.x 9.2.0.x 9.1.0.x 9.0.0.x With DNOS version before 10.5.2.11 |
10.5.2.11 | SmartFabric OS10 Drivers & Downloads |
Soluciones alternativas y mitigaciones
| CVE | Workarounds |
| CVE-2022-34439 | This vulnerability only applies to: Ethernet backend cluster with Single (nonredundant) backend configuration Disable LBFO by issuing the command: if $(isi cluster internal-networks view | grep -q "Failover Status: disabled" ) && $(isi cluster internal-networks view | grep -q "Fabric: Ethernet"); then echo; echo "Disabling service, please re-enable after upgrade to fixed version" ; isi services isi_lbfo_d disable ; else echo; echo "Not impacted" ; fi After the patch is applied or upgrades to a version with the issue resolved, revert this mitigation with the command: #isi services isi_lbfo_d enableNote: This is required before future configurations using redundant backend interfaces. |
Historial de revisiones
| Revision | Date | Description |
| 1.0 | 2022-10-13 | Initial Release |
| 1.1 | 2022-10-24 | Updated Affected Versions and Remediation section Corrected a typographical error in Workaround and Mitigation Section |
| 1.2 | 2022-11-7 |
|
| 1.3 | 2022-11-15 | Updated applicable sections with information for additional CVEs (CVE-2021-36306, CVE-2021-36307, CVE-2021-36308, CVE-2021-36310, CVE-2021-36319, CVE-2021-3711, and CVE-2021-3712) |
| 1.4 | 2023-02-02 | Updated the wordings in Workarounds and Mitigation section for CVE-2022-34439 |
Información relacionada
Descargo de responsabilidad
Productos afectados
Isilon A200, Isilon A2000, Isilon F800, Isilon F810, Isilon H400, Isilon H500, Isilon H5600, Isilon H600, PowerScale Archive A300, PowerScale Archive A3000, PowerScale B100, PowerScale F200, PowerScale F600, PowerScale F900, PowerScale Hybrid H700
, PowerScale Hybrid H7000, PowerScale P100, Product Security Information
...
Productos
PowerScale OneFSPropiedades del artículo
Número del artículo: 000204053
Tipo de artículo: Dell Security Advisory
Última modificación: 02 feb 2023
Encuentre respuestas a sus preguntas de otros usuarios de Dell
Servicios de soporte
Compruebe si el dispositivo está cubierto por los servicios de soporte.