Ga naar hoofdinhoud
  • Snel en eenvoudig bestellen
  • Bestellingen en de verzendstatus bekijken
  • Een lijst met producten maken en openen
  • Beheer uw Dell EMC locaties, producten en contactpersonen op productniveau met Company Administration.

Artikelnummer: 000195815


DSA-2022-002: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities

Samenvatting: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that may be exploited by malicious users to compromise the affected system.

Article content


Impact

High

Gegevens

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2022-22561 Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to compromised accounts. 8.1 CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CVE-2022-22549 Dell PowerScale OneFS, 8.2.x-9.3.x, contain an Improper Certificate Validation. A unauthenticated remote attacker may potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials. 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-22559 Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker may exploit this vulnerability, leading to the potential for information disclosure. 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-22562 Dell PowerScale OneFS, versions 8.2.0-9.2.1.x, contain an improper handling of missing values vulnerability. An unauthenticated network attacker may potentially exploit this denial-of-service vulnerability. 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-22560 Dell EMC PowerScale OneFS versions 8.1.x-9.2.1.x contain hard coded credentials. This may allow a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker may exploit this vulnerability to take the switch offline. 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CVE-2022-22550 Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain a password disclosure vulnerability. An unprivileged local attacker may potentially exploit this vulnerability, leading to account takeover. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22565 Dell PowerScale OneFS, versions 9.0.0-9.3.0 contain an improper authorization of index containing sensitive information. An authenticated and privileged user may potentially exploit this vulnerability, leading to disclosure or modification of sensitive data. 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
 
Third-party Component CVEs More information
GNU gettext CVE-2018-18751 https://nvd.nist.gov/vuln/detail/CVE-2018-18751 
https://www.gnu.org/software/gettext/ 
OpenSSL CVE-2021-3712 https://nvd.nist.gov/vuln/detail/CVE-2021-3712 
https://www.openssl.org/news/secadv/20210824.txt 
Apache Multiple https://httpd.apache.org/security/vulnerabilities_24.html

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2022-22561 Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to compromised accounts. 8.1 CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CVE-2022-22549 Dell PowerScale OneFS, 8.2.x-9.3.x, contain an Improper Certificate Validation. A unauthenticated remote attacker may potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials. 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-22559 Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker may exploit this vulnerability, leading to the potential for information disclosure. 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-22562 Dell PowerScale OneFS, versions 8.2.0-9.2.1.x, contain an improper handling of missing values vulnerability. An unauthenticated network attacker may potentially exploit this denial-of-service vulnerability. 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-22560 Dell EMC PowerScale OneFS versions 8.1.x-9.2.1.x contain hard coded credentials. This may allow a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker may exploit this vulnerability to take the switch offline. 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CVE-2022-22550 Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain a password disclosure vulnerability. An unprivileged local attacker may potentially exploit this vulnerability, leading to account takeover. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22565 Dell PowerScale OneFS, versions 9.0.0-9.3.0 contain an improper authorization of index containing sensitive information. An authenticated and privileged user may potentially exploit this vulnerability, leading to disclosure or modification of sensitive data. 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
 
Third-party Component CVEs More information
GNU gettext CVE-2018-18751 https://nvd.nist.gov/vuln/detail/CVE-2018-18751 
https://www.gnu.org/software/gettext/ 
OpenSSL CVE-2021-3712 https://nvd.nist.gov/vuln/detail/CVE-2021-3712 
https://www.openssl.org/news/secadv/20210824.txt 
Apache Multiple https://httpd.apache.org/security/vulnerabilities_24.html

Dell Technologies raadt aan dat alle klanten rekening houden met zowel de basisscore van CVSS als alle relevante tijdelijke en omgevingsscores die gevolgen kunnen hebben voor de mogelijke ernst van de specifieke beveiligingsproblemen.

Getroffen producten en herstel

CVEs Addressed Affected Versions Updated Versions Link to Update
CVE-2022-22561 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS PowerScale OneFS Downloads Area




 
9.1.0.x, 9.2.1.x, and 9.3.0.x Download and install the latest RUP
CVE-2022-22549 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x Download and install the latest RUP
CVE-2022-22559 n/a Upgrade your version of OneFS
9.3.0.x Download and install the latest RUP
CVE-2022-22562 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS
9.1.0.x and 9.2.1.x Download and install the latest RUP
CVE-2022-22560 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS
9.1.0.x and 9.2.1.x Download and install the latest RUP
CVE-2022-22550 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x Download and install the latest RUP
CVE-2018-18751 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x Download and install the latest RUP
CVE-2021-3712 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x Download and install the latest RUP
Apache: Multiple 8.2.x, 9.0.0.x, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-22565 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x Download and install the latest RUP

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
CVEs Addressed Affected Versions Updated Versions Link to Update
CVE-2022-22561 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS PowerScale OneFS Downloads Area




 
9.1.0.x, 9.2.1.x, and 9.3.0.x Download and install the latest RUP
CVE-2022-22549 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x Download and install the latest RUP
CVE-2022-22559 n/a Upgrade your version of OneFS
9.3.0.x Download and install the latest RUP
CVE-2022-22562 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS
9.1.0.x and 9.2.1.x Download and install the latest RUP
CVE-2022-22560 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS
9.1.0.x and 9.2.1.x Download and install the latest RUP
CVE-2022-22550 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x Download and install the latest RUP
CVE-2018-18751 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x Download and install the latest RUP
CVE-2021-3712 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x Download and install the latest RUP
Apache: Multiple 8.2.x, 9.0.0.x, 9.1.1.x, 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, 9.3.0.x Download and install the latest RUP
CVE-2022-22565 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x Upgrade your version of OneFS
9.1.0.x, 9.2.1.x, and 9.3.0.x Download and install the latest RUP

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.

Revisiegeschiedenis

RevisionDateDescription
1.02022-01-31Initial Release

Verwante informatie

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide


Artikeleigenschappen


Getroffen product

PowerScale OneFS, Product Security Information

Datum laatst gepubliceerd

31 jan 2022

Versie

1

Artikeltype

Dell Security Advisory