DSA-2022-014: Dell EMC PowerStore Family Security Update for Multiple Vulnerabilities
概要: Dell EMC PowerStore Family remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
この記事は次に適用されます:
この記事は次には適用されません:
この記事は、特定の製品に関連付けられていません。
すべての製品パージョンがこの記事に記載されているわけではありません。
影響
Critical
詳細
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-22556 | Dell PowerStore contains an Uncontrolled Resource Consumption Vulnerability in PowerStore User Interface. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to the Denial of Service. | 3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVE-2022-22557 | Dell PowerStore contains Plain-Text Password Storage Vulnerability in version 2.0.0.x. and 2.0.1.x. A locally authenticated attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | 7.5 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CVE-2022-26866 | Dell PowerStore contains a Stored Cross-Site Scripting Vulnerability, an authenticated attacker may potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N |
| CVE-2022-26867 | Dell PowerStore contains formula injection vulnerability in which it supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It may allow a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file. | 5.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L |
| CVE-2022-26868 | Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x are vulnerable to a command injection flaw. An authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. | 6.4 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CVE-2022-26869 | Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contain an open port vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to information disclosure, arbitrary code execution. | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-26870 | Dell PowerStore versions 2.1.0.x contain an Authentication bypass vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability when both Remote Secure Credential and External SSH are enabled. An attacker would gain “service” account access upon successful exploit. | 7.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H |
| Third-Party Component | CVEs | More Information |
| NVMe SSD | CVE-2021-0148 | Intel-SA-00535 |
| Axios | CVE-2020-28168 | See NVD (http://nvd.nist.gov/) for individual scores of each CVE. |
| bind-libs bind-libs-lite bind-utils bind-license |
CVE-2021-25215 | |
| glib2 | CVE-2021-27219 | |
| gupnp | CVE-2021-33516 | |
| java-1.8.0-openjdk | CVE-2021-2369 | |
| CVE-2021-2388 | ||
| CVE-2021-2341 | ||
| libldb | CVE-2021-20277 | |
| libwbclient | CVE-2021-20254 | |
| Lo-dash | CVE-2021-23337 | |
| CVE-2020-28500 | ||
| CVE-2020-8203 | ||
| Log4j | CVE-2021-45105 | |
| CVE-2021-44832 | ||
| CVE-2022-23307 | ||
| nettle | CVE-2021-20305 | |
| nss nss-sysinit nss-tools |
CVE-2020-25648 | |
| openldap | CVE-2020-25692 | |
| pillow | CVE-2021-28675 | |
| CVE-2021-28676 | ||
| CVE-2021-25288 | ||
| CVE-2021-25287 | ||
| CVE-2021-28677 | ||
| CVE-2021-28678 | ||
| postgres | CVE-2021-20229 | |
| CVE-2021-32027 | ||
| CVE-2021-3393 | ||
| postgres-libs | CVE-2021-32027 | |
| postgresql-libs | CVE-2019-10208 | |
| CVE-2020-25694 | ||
| CVE-2020-25695 | ||
| samba-common samba-client-libs samba-common-libs libwbclient |
CVE-2021-20254 | |
| screen version | CVE-2021-26937 | |
| urllib3 | CVE-2021-33503 | |
| xterm | CVE-2021-27135 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-22556 | Dell PowerStore contains an Uncontrolled Resource Consumption Vulnerability in PowerStore User Interface. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to the Denial of Service. | 3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVE-2022-22557 | Dell PowerStore contains Plain-Text Password Storage Vulnerability in version 2.0.0.x. and 2.0.1.x. A locally authenticated attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | 7.5 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CVE-2022-26866 | Dell PowerStore contains a Stored Cross-Site Scripting Vulnerability, an authenticated attacker may potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N |
| CVE-2022-26867 | Dell PowerStore contains formula injection vulnerability in which it supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It may allow a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file. | 5.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L |
| CVE-2022-26868 | Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x are vulnerable to a command injection flaw. An authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. | 6.4 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CVE-2022-26869 | Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contain an open port vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to information disclosure, arbitrary code execution. | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-26870 | Dell PowerStore versions 2.1.0.x contain an Authentication bypass vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability when both Remote Secure Credential and External SSH are enabled. An attacker would gain “service” account access upon successful exploit. | 7.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H |
| Third-Party Component | CVEs | More Information |
| NVMe SSD | CVE-2021-0148 | Intel-SA-00535 |
| Axios | CVE-2020-28168 | See NVD (http://nvd.nist.gov/) for individual scores of each CVE. |
| bind-libs bind-libs-lite bind-utils bind-license |
CVE-2021-25215 | |
| glib2 | CVE-2021-27219 | |
| gupnp | CVE-2021-33516 | |
| java-1.8.0-openjdk | CVE-2021-2369 | |
| CVE-2021-2388 | ||
| CVE-2021-2341 | ||
| libldb | CVE-2021-20277 | |
| libwbclient | CVE-2021-20254 | |
| Lo-dash | CVE-2021-23337 | |
| CVE-2020-28500 | ||
| CVE-2020-8203 | ||
| Log4j | CVE-2021-45105 | |
| CVE-2021-44832 | ||
| CVE-2022-23307 | ||
| nettle | CVE-2021-20305 | |
| nss nss-sysinit nss-tools |
CVE-2020-25648 | |
| openldap | CVE-2020-25692 | |
| pillow | CVE-2021-28675 | |
| CVE-2021-28676 | ||
| CVE-2021-25288 | ||
| CVE-2021-25287 | ||
| CVE-2021-28677 | ||
| CVE-2021-28678 | ||
| postgres | CVE-2021-20229 | |
| CVE-2021-32027 | ||
| CVE-2021-3393 | ||
| postgres-libs | CVE-2021-32027 | |
| postgresql-libs | CVE-2019-10208 | |
| CVE-2020-25694 | ||
| CVE-2020-25695 | ||
| samba-common samba-client-libs samba-common-libs libwbclient |
CVE-2021-20254 | |
| screen version | CVE-2021-26937 | |
| urllib3 | CVE-2021-33503 | |
| xterm | CVE-2021-27135 |
影響を受ける製品と修復
| CVEs Addressed | Products | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-22557 | PowerStore T OS PowerStore X OS |
PowerStore T OS versions 2.0.0.x and 2.0.1.x *PowerStore T OS versions 1.0.x.x are not affected. PowerStore X OS versions 2.0.0.x and 2.0.1.x *PowerStore X OS versions 1.0.x.x are not affected. |
PowerStore T OS Upgrade 2.1.0.0-1561821 PowerStore T OS Upgrade 2.1.0.1-1602345 PowerStore T OS Upgrade 2.1.1.0-1649887 PowerStore X OS Upgrade 2.1.1.0-1649887 |
https://www.dell.com/support/home/?app=drivers |
| CVE-2022-22556 | PowerStore T OS PowerStore X OS |
PowerStore T OS versions before PowerStore T OS Upgrade 2.1.0.0-1561821 PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887 |
PowerStore T OS Upgrade 2.1.0.0-1561821 PowerStore T OS Upgrade 2.1.0.1-1602345 PowerStore T OS Upgrade 2.1.1.0-1649887 PowerStore X OS” PowerStore X OS Upgrade 2.1.1.0-1649887 |
|
| CVE-2021-0148 | ||||
| CVE-2020-28168 | ||||
| CVE-2021-25215 | ||||
| CVE-2021-27219 | ||||
| CVE-2021-33516 | ||||
| CVE-2021-2369 | ||||
| CVE-2021-2388 | ||||
| CVE-2021-2341 | ||||
| CVE-2021-20277 | ||||
| CVE-2021-20254 | ||||
| CVE-2021-23337 | ||||
| CVE-2020-28500 | ||||
| CVE-2020-8203 | ||||
| CVE-2020-25692 | ||||
| CVE-2021-28675 | ||||
| CVE-2021-28676 | ||||
| CVE-2021-25288 | ||||
| CVE-2021-25287 | ||||
| CVE-2021-28677 | ||||
| CVE-2021-28678 | ||||
| CVE-2021-20229 | ||||
| CVE-2021-32027 | ||||
| CVE-2021-3393 | ||||
| CVE-2019-10208 | ||||
| CVE-2020-25694 | ||||
| CVE-2020-25695 | ||||
| CVE-2021-20254 | ||||
| CVE-2021-26937 | ||||
| CVE-2021-33503 | ||||
| CVE-2021-27135 | ||||
| CVE-2022-26866 | PowerStore T OS PowerStore X OS |
PowerStore T OS versions before PowerStore T OS Upgrade 2.1.1.0-1649887 PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887 |
PowerStore T OS Upgrade 2.1.1.0-1649887 PowerStore X OS Upgrade 2.1.1.0-1649887 |
|
| CVE-2022-26867 | ||||
| CVE-2021-45105 | ||||
| CVE-2021-44832 | ||||
| CVE-2022-23307 | ||||
| CVE-2022-26868 | PowerStore T OS PowerStore X OS |
PowerStore T OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x *PowerStore T OS versions 1.0.x.x are not affected. PowerStore X OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x *PowerStore X OS versions 1.0.x.x are not affected. |
PowerStore T OS Upgrade 2.1.1.0-1649887 PowerStore X OS Upgrade 2.1.1.0-1649887 |
|
| CVE-2022-26869 | ||||
| CVE-2022-26870 | PowerStore T OS | PowerStore T OS versions 2.1.0.x *PowerStore T OS 1.0.x.x, 2.0.0.x, 2.0.1.x are not affected |
PowerStore T OS Upgrade 2.1.1.0-1649887 |
| CVEs Addressed | Products | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-22557 | PowerStore T OS PowerStore X OS |
PowerStore T OS versions 2.0.0.x and 2.0.1.x *PowerStore T OS versions 1.0.x.x are not affected. PowerStore X OS versions 2.0.0.x and 2.0.1.x *PowerStore X OS versions 1.0.x.x are not affected. |
PowerStore T OS Upgrade 2.1.0.0-1561821 PowerStore T OS Upgrade 2.1.0.1-1602345 PowerStore T OS Upgrade 2.1.1.0-1649887 PowerStore X OS Upgrade 2.1.1.0-1649887 |
https://www.dell.com/support/home/?app=drivers |
| CVE-2022-22556 | PowerStore T OS PowerStore X OS |
PowerStore T OS versions before PowerStore T OS Upgrade 2.1.0.0-1561821 PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887 |
PowerStore T OS Upgrade 2.1.0.0-1561821 PowerStore T OS Upgrade 2.1.0.1-1602345 PowerStore T OS Upgrade 2.1.1.0-1649887 PowerStore X OS” PowerStore X OS Upgrade 2.1.1.0-1649887 |
|
| CVE-2021-0148 | ||||
| CVE-2020-28168 | ||||
| CVE-2021-25215 | ||||
| CVE-2021-27219 | ||||
| CVE-2021-33516 | ||||
| CVE-2021-2369 | ||||
| CVE-2021-2388 | ||||
| CVE-2021-2341 | ||||
| CVE-2021-20277 | ||||
| CVE-2021-20254 | ||||
| CVE-2021-23337 | ||||
| CVE-2020-28500 | ||||
| CVE-2020-8203 | ||||
| CVE-2020-25692 | ||||
| CVE-2021-28675 | ||||
| CVE-2021-28676 | ||||
| CVE-2021-25288 | ||||
| CVE-2021-25287 | ||||
| CVE-2021-28677 | ||||
| CVE-2021-28678 | ||||
| CVE-2021-20229 | ||||
| CVE-2021-32027 | ||||
| CVE-2021-3393 | ||||
| CVE-2019-10208 | ||||
| CVE-2020-25694 | ||||
| CVE-2020-25695 | ||||
| CVE-2021-20254 | ||||
| CVE-2021-26937 | ||||
| CVE-2021-33503 | ||||
| CVE-2021-27135 | ||||
| CVE-2022-26866 | PowerStore T OS PowerStore X OS |
PowerStore T OS versions before PowerStore T OS Upgrade 2.1.1.0-1649887 PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887 |
PowerStore T OS Upgrade 2.1.1.0-1649887 PowerStore X OS Upgrade 2.1.1.0-1649887 |
|
| CVE-2022-26867 | ||||
| CVE-2021-45105 | ||||
| CVE-2021-44832 | ||||
| CVE-2022-23307 | ||||
| CVE-2022-26868 | PowerStore T OS PowerStore X OS |
PowerStore T OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x *PowerStore T OS versions 1.0.x.x are not affected. PowerStore X OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x *PowerStore X OS versions 1.0.x.x are not affected. |
PowerStore T OS Upgrade 2.1.1.0-1649887 PowerStore X OS Upgrade 2.1.1.0-1649887 |
|
| CVE-2022-26869 | ||||
| CVE-2022-26870 | PowerStore T OS | PowerStore T OS versions 2.1.0.x *PowerStore T OS 1.0.x.x, 2.0.0.x, 2.0.1.x are not affected |
PowerStore T OS Upgrade 2.1.1.0-1649887 |
変更履歴
| Revision | Date | More Information |
| 1.0 | 2022-04-19 | Initial Release |
| 2.0 | 2022-04-21 | Minor updates to include Log4j CVEs and Link to Update. See Dell KB article194739: https://www.dell.com/support/kbdoc/000196367 |
| 2.1 | 2023-01-17 | Minor update to CVEs Addressed in the Affected Products and Remediation section: removed duplicate CVE ID: CVE-2022-26867 and added CVE ID: CVE-2022-26866. |
関連情報
法的免責事項
対象製品
PowerStore, PowerStore 1000X, PowerStore 1000T, PowerStore 3000X, PowerStore 3000T, PowerStore 5000X, PowerStore 5000T, PowerStore 500T, PowerStore 7000X, PowerStore 7000T, PowerStore 9000X, PowerStore 9000T, Product Security Information文書のプロパティ
文書番号: 000196367
文書の種類: Dell Security Advisory
最終更新: 17 1月 2023
質問に対する他のDellユーザーからの回答を見つける
サポート サービス
お使いのデバイスがサポート サービスの対象かどうかを確認してください。