DSA-2022-002: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities
Yhteenveto: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that may be exploited by malicious users to compromise the affected system.
Tämä artikkeli koskee tuotetta
Tämä artikkeli ei koske tuotetta
Tämä artikkeli ei liity tiettyyn tuotteeseen.
Tässä artikkelissa ei yksilöidä kaikkia tuoteversioita.
Vaikutus
High
Tiedot
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-22561 | Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to compromised accounts. | 8.1 | CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
| CVE-2022-22549 | Dell PowerScale OneFS, 8.2.x-9.3.x, contain an Improper Certificate Validation. A unauthenticated remote attacker may potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2022-22559 | Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker may exploit this vulnerability, leading to the potential for information disclosure. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-22562 | Dell PowerScale OneFS, versions 8.2.0-9.2.1.x, contain an improper handling of missing values vulnerability. An unauthenticated network attacker may potentially exploit this denial-of-service vulnerability. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-22560 | Dell EMC PowerScale OneFS versions 8.1.x-9.2.1.x contain hard coded credentials. This may allow a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker may exploit this vulnerability to take the switch offline. | 7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
| CVE-2022-22550 | Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain a password disclosure vulnerability. An unprivileged local attacker may potentially exploit this vulnerability, leading to account takeover. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-22565 | Dell PowerScale OneFS, versions 9.0.0-9.3.0 contain an improper authorization of index containing sensitive information. An authenticated and privileged user may potentially exploit this vulnerability, leading to disclosure or modification of sensitive data. | 4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
| Third-party Component | CVEs | More information |
| GNU gettext | CVE-2018-18751 | https://nvd.nist.gov/vuln/detail/CVE-2018-18751 https://www.gnu.org/software/gettext/ |
| OpenSSL | CVE-2021-3712 | https://nvd.nist.gov/vuln/detail/CVE-2021-3712 https://www.openssl.org/news/secadv/20210824.txt |
| Apache | Multiple | https://httpd.apache.org/security/vulnerabilities_24.html |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-22561 | Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to compromised accounts. | 8.1 | CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
| CVE-2022-22549 | Dell PowerScale OneFS, 8.2.x-9.3.x, contain an Improper Certificate Validation. A unauthenticated remote attacker may potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2022-22559 | Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker may exploit this vulnerability, leading to the potential for information disclosure. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-22562 | Dell PowerScale OneFS, versions 8.2.0-9.2.1.x, contain an improper handling of missing values vulnerability. An unauthenticated network attacker may potentially exploit this denial-of-service vulnerability. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-22560 | Dell EMC PowerScale OneFS versions 8.1.x-9.2.1.x contain hard coded credentials. This may allow a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker may exploit this vulnerability to take the switch offline. | 7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
| CVE-2022-22550 | Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain a password disclosure vulnerability. An unprivileged local attacker may potentially exploit this vulnerability, leading to account takeover. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-22565 | Dell PowerScale OneFS, versions 9.0.0-9.3.0 contain an improper authorization of index containing sensitive information. An authenticated and privileged user may potentially exploit this vulnerability, leading to disclosure or modification of sensitive data. | 4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
| Third-party Component | CVEs | More information |
| GNU gettext | CVE-2018-18751 | https://nvd.nist.gov/vuln/detail/CVE-2018-18751 https://www.gnu.org/software/gettext/ |
| OpenSSL | CVE-2021-3712 | https://nvd.nist.gov/vuln/detail/CVE-2021-3712 https://www.openssl.org/news/secadv/20210824.txt |
| Apache | Multiple | https://httpd.apache.org/security/vulnerabilities_24.html |
Tuotteet, joihin asia vaikuttaa, ja tilanteen korjaaminen
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-22561 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22549 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22559 | n/a | Upgrade your version of OneFS | |
| 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22562 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2022-22560 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2022-22550 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2018-18751 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2021-3712 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| Apache: Multiple | 8.2.x, 9.0.0.x, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22565 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-22561 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22549 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22559 | n/a | Upgrade your version of OneFS | |
| 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22562 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2022-22560 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2022-22550 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2018-18751 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2021-3712 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| Apache: Multiple | 8.2.x, 9.0.0.x, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22565 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
Versiohistoria
| Revision | Date | Description |
| 1.0 | 2022-01-31 | Initial Release |
Asiaan liittyvät tiedot
Vastuuvapauslauseke
Tuotteet, joihin vaikutus kohdistuu
PowerScale OneFS, Product Security InformationArtikkelin ominaisuudet
Artikkelin numero: 000195815
Artikkelin tyyppi: Dell Security Advisory
Viimeksi muutettu: 31 tammik. 2022
Etsi vastauksia kysymyksiisi muilta Dell-käyttäjiltä
Tukipalvelut
Tarkista, kuuluuko laitteesi tukipalveluiden piiriin.