DSA-2022-024: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities
Résumé: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that may potentially be exploited by malicious users to compromise the affected system.
Cet article concerne
Cet article ne concerne pas
Cet article n’est associé à aucun produit spécifique.
Toutes les versions du produit ne sont pas identifiées dans cet article.
Impact
Critical
Détails
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-24411 | Dell PowerScale OneFS 8.2.2 and later contain an elevation of privilege vulnerability. A local attacker with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE may potentially exploit this vulnerability, leading to elevation of privilege. This may potentially allow users to circumvent PowerScale Compliance Mode guarantees. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-24412 | Dell EMC PowerScale OneFS 8.2.x - 9.3.0.x contain an improper handling of value vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to denial-of-service. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-23161 | Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contain a denial-of-service vulnerability in SmartConnect. An unprivileged network attacker may potentially exploit this vulnerability, leading to denial-of-service. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-23160 | Dell PowerScale OneFS 8.2.x - 9.3.0 contain an Improper Handling of Insufficient Permissions vulnerability. An remote malicious user may potentially exploit this vulnerability, leading to gaining write permissions on read-only files. | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
| CVE-2022-23159 | Dell PowerScale OneFS 8.2.x - 9.3.0.x contain a missing release of memory after effective lifetime vulnerability. An authenticated user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_AUTH_PROVIDERS privileges may potentially exploit this vulnerability, leading to a Denial-Of-Service. This can also impact a cluster in Compliance mode. Dell recommends to update at the earliest opportunity. | 4.8 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H |
| CVE-2022-23163 | Dell PowerScale OneFS 8.2.x - 9.3.0.x contain a denial of service vulnerability. A local attacker with minimal privileges may potentially exploit this vulnerability, leading to denial of service/data unavailability. | 4.7 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-24413 | Dell PowerScale OneFS 8.2.2-9.3.x contain a time-of-check-to-time-of-use vulnerability. A local user with access to the filesystem may potentially exploit this vulnerability, leading to data loss. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
| Third-Party Component | CVE | More information |
| Apache Portable Runtime | CVE-2017-12613 | CVE-2021-35940 |
Produits concernés et mesure corrective
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-24411 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-24412 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23161 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2017-12613 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23160 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23159 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23163 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-24413 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP |
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-24411 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-24412 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23161 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2017-12613 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23160 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23159 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-23163 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP | ||
| CVE-2022-24413 | 8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x. | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x. | Download and install the latest RUP |
Solutions de contournement et mesures d’atténuation
| CVEs addressed | Workaround or Mitigation |
| CVE-2022-24411 | none |
| CVE-2022-24412 | Disable netbios support if enabled (default setting: disabled):
#isi smb settings global modify --support-netbios no
#isi smb settings global view | grep NetBIOS If the service is disabled, the following output is displayed: #Support NetBIOS: No |
| CVE-2022-23161 | Configure a valid FQDN in the SmartConnect service name field for every SmartConnect subnet on the cluster: #isi network subnets modify <subnet> --sc-service-name cluster-sc.example.com |
| CVE-2017-12613 | none |
| CVE-2022-23160 | Configure SMB share permissions of any SyncIQ target directory to prevent writes. |
| CVE-2022-23159 | none |
| CVE-2022-23163 | none |
| CVE-2022-24413 | none |
Historique des révisions
| Revision | Date | Description |
| 1.0 | 2022-03-03 | Initial |
| 1.1 | 2022-03-04 | Corrected Impact |
Informations connexes
Mention légale
Produits concernés
PowerScale OneFSProduits
Product Security InformationPropriétés de l’article
Numéro d’article: 000196009
Type d’article: Dell Security Advisory
Dernière modification: 30 nov. 2022
Trouvez des réponses à vos questions auprès d’autres utilisateurs Dell
Services de support
Vérifiez si votre appareil est couvert par les services de support.