DSA-2026-047: Security update for Dell ECS and ObjectScale Multiple Vulnerabilities
概要: Dell ECS and ObjectScale remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
この記事は次に適用されます:
この記事は次には適用されません:
この記事は、特定の製品に関連付けられていません。
すべての製品パージョンがこの記事に記載されているわけではありません。
影響
Critical
詳細情報
This security advisory communicates vulnerabilities affecting Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0. To remediate the vulnerabilities, customers must upgrade to ObjectScale 4.2.0.0, the Latest Code as per the Minimum, Recommended, and Latest Code Versions for Dell Technologies Servers, Storage, and Networking products.
詳細
| Third-party Component | CVEs | More Information |
| net/netip | CVE-2024-24790 | https://nvd.nist.gov/vuln/search |
| jackson-core | CVE-2025-52999 | https://nvd.nist.gov/vuln/search |
| Apache Commons IO | CVE-2024-47554 | https://nvd.nist.gov/vuln/search |
| XStream | CVE-2024-47072 | https://nvd.nist.gov/vuln/search |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2026-22273 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Use of Default Credentials vulnerability in the OS. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2026-22271 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information exposure. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2026-22274 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could potentially exploit this vulnerability to intercept and modify information in transit. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2026-22276 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2026-22275 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Inclusion of Sensitive Information in Source Code vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2026-22273 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Use of Default Credentials vulnerability in the OS. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2026-22271 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information exposure. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2026-22274 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could potentially exploit this vulnerability to intercept and modify information in transit. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2026-22276 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2026-22275 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Inclusion of Sensitive Information in Source Code vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
影響を受ける製品と修復
| Product | Affected Versions | Remediated Versions | Link |
| Elastic Cloud Storage (ECS) | Versions 3.8.1.0 through 3.8.1.7 | Version 4.2.0.0 or later | Open a Service Request for an Operating Environment Upgrade and Quote DSA-2026-047 |
| ObjectScale | Versions prior to 4.2.0.0 | Version 4.2.0.0 or later | Open a Service Request for an Operating Environment Upgrade and Quote DSA-2026-047 |
| Product | Affected Versions | Remediated Versions | Link |
| Elastic Cloud Storage (ECS) | Versions 3.8.1.0 through 3.8.1.7 | Version 4.2.0.0 or later | Open a Service Request for an Operating Environment Upgrade and Quote DSA-2026-047 |
| ObjectScale | Versions prior to 4.2.0.0 | Version 4.2.0.0 or later | Open a Service Request for an Operating Environment Upgrade and Quote DSA-2026-047 |
Note:
- Dell recommends all customers have their ObjectScale systems upgraded at the earliest opportunity by opening an “Operating Environment Upgrade” Service Request.
- Please visit the Security Update Release Schedule for Supported Versions of ObjectScale (formerly ECS) for more information.
回避策と緩和策
| CVE ID | Workaround and Mitigation |
| CVE-2026-22273 | To mitigate this vulnerability, customers on all supported ECS or Objectscale versions, still using default credentials, can apply the password change procedure documented as a 'NOTE' under the ‘Default Node Users’ table in the Dell ObjectScale 4.2.0.0 Security Configuration Guide, without performing an upgrade. |
| CVE-2026-22271 |
To remediate this vulnerability, starting with ObjectScale version 4.2.0.0, the system automatically disables CAS unless it detects active usage. To mitigate this vulnerability, customers who have not upgraded to ObjectScale version 4.2.0.0 yet or are actively using CAS in their setup should refer to the ‘Securing the CAS Protocol’ section in the Dell ObjectScale 4.2.0.0 Security Configuration Guide and apply the recommended steps. |
変更履歴
| Revision | Date | Description |
| 1.0 | 2026-01-16 | Initial Release |
| 2.0 | 2026-01-20 | Aligned CVE-2026-22271 and CVE-2026-22273 mitigations with their descriptions |
関連情報
法的免責事項
対象製品
ECS, ObjectScale, ECS Appliance, ECS Appliance Hardware Series, ECS Appliance Software with Encryption, ECS Appliance Software without Encryption, ObjectScale Software with Encryption, ObjectScale Software without Encryption
, ObjectScale Appliance Series, ObjectScale Software Series
...
文書のプロパティ
文書番号: 000415880
文書の種類: Dell Security Advisory
最終更新: 20 1月 2026
質問に対する他のDellユーザーからの回答を見つける
サポート サービス
お使いのデバイスがサポート サービスの対象かどうかを確認してください。