Ga naar hoofdinhoud
  • Snel en eenvoudig bestellen
  • Bestellingen en de verzendstatus bekijken
  • Een lijst met producten maken en openen
  • Beheer uw Dell EMC locaties, producten en contactpersonen op productniveau met Company Administration.

Artikelnummer: 000209895


DSA-2023-035: Dell PowerScale OneFS Security Updates for Multiple Security Vulnerabilities

Samenvatting: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Article content


Impact

High

Gegevens

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2023-25536 Dell PowerScale OneFS 9.4.0.x contains exposure of sensitive information to an unauthorized actor. A malicious authenticated local user could potentially exploit this vulnerability in certificate management, leading to a potential system takeover. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-25540 Dell PowerScale OneFS 9.4.0.x contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability to overwrite arbitrary files causing denial of service. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-23689 Dell PowerScale nodes A200, A2000, H400, H500, H600, H5600, F800, F810 integrated hardware management software contains an uncontrolled resource consumption vulnerability. This may allow an unauthenticated network host to impair integrated hardware management functionality and trigger OneFS data protection mechanism causing a denial of service. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
 
Third-party Component CVEs More Information
libxml2 CVE-2022-40304 See NVD This hyperlink is taking you to a website outside of Dell Technologies. for more details.
python38 CVE-2020-10735 See NVD This hyperlink is taking you to a website outside of Dell Technologies. for more details.
Intel Platform CVE-2021-0153
CVE-2021-0154
CVE-2021-0155
CVE-2021-0159
CVE-2021-0188
CVE-2021-0189
CVE-2021-0190
CVE-2021-33060
CVE-2021-33103
CVE-2021-33122
CVE-2021-33123
CVE-2021-33124
CVE-2022-21123
CVE-2022-21125
CVE-2022-21127
CVE-2022-21166
CVE-2022-21180
INTEL-SA-00601 This hyperlink is taking you to a website outside of Dell Technologies.
INTEL-SA-00686 This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2022-0004
CVE-2021-21131
INTEL-SA-00613 This hyperlink is taking you to a website outside of Dell Technologies.
See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.
CVE-2022-0778 See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.
Arista EOS

CVE-2021-28500

CVE-2021-28501

CVE-2021-28503

CVE-2021-28506

CVE-2021-28507

CVE-2021-28496

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies.for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

 
NOTE: All PowerScale related CVEs are addressed in the newly released PowerScale OneFS version 9.5.0.0.
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2023-25536 Dell PowerScale OneFS 9.4.0.x contains exposure of sensitive information to an unauthorized actor. A malicious authenticated local user could potentially exploit this vulnerability in certificate management, leading to a potential system takeover. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-25540 Dell PowerScale OneFS 9.4.0.x contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability to overwrite arbitrary files causing denial of service. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2023-23689 Dell PowerScale nodes A200, A2000, H400, H500, H600, H5600, F800, F810 integrated hardware management software contains an uncontrolled resource consumption vulnerability. This may allow an unauthenticated network host to impair integrated hardware management functionality and trigger OneFS data protection mechanism causing a denial of service. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L This hyperlink is taking you to a website outside of Dell Technologies.
 
Third-party Component CVEs More Information
libxml2 CVE-2022-40304 See NVD This hyperlink is taking you to a website outside of Dell Technologies. for more details.
python38 CVE-2020-10735 See NVD This hyperlink is taking you to a website outside of Dell Technologies. for more details.
Intel Platform CVE-2021-0153
CVE-2021-0154
CVE-2021-0155
CVE-2021-0159
CVE-2021-0188
CVE-2021-0189
CVE-2021-0190
CVE-2021-33060
CVE-2021-33103
CVE-2021-33122
CVE-2021-33123
CVE-2021-33124
CVE-2022-21123
CVE-2022-21125
CVE-2022-21127
CVE-2022-21166
CVE-2022-21180
INTEL-SA-00601 This hyperlink is taking you to a website outside of Dell Technologies.
INTEL-SA-00686 This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2022-0004
CVE-2021-21131
INTEL-SA-00613 This hyperlink is taking you to a website outside of Dell Technologies.
See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.
CVE-2022-0778 See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.
Arista EOS

CVE-2021-28500

CVE-2021-28501

CVE-2021-28503

CVE-2021-28506

CVE-2021-28507

CVE-2021-28496

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies.for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

See NVD This hyperlink is taking you to a website outside of Dell Technologies. for details.

 
NOTE: All PowerScale related CVEs are addressed in the newly released PowerScale OneFS version 9.5.0.0.
Dell Technologies raadt aan dat alle klanten rekening houden met zowel de basisscore van CVSS als alle relevante tijdelijke en omgevingsscores die gevolgen kunnen hebben voor de mogelijke ernst van de specifieke beveiligingsproblemen.

Getroffen producten en herstel

CVE(s) Addressed Product Affected Version(s) Updated Version(s) Link to Update
CVE-2022-40304
 
PowerScale OneFS
 

9.1.0.0 through 9.1.0.27

9.2.1.0 through 9.2.1.20

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.

>= 9.1.0.28

>= 9.2.1.21

>= 9.4.0.13

>= 9.5.0.0

PowerScale OneFS Downloads Area
 

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2023-25536

PowerScale OneFS

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.

>= 9.4.0.12

CVE-2023-25540

PowerScale OneFS
 

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.

>= 9.4.0.12

 CVE-2020-10735
 
PowerScale OneFS
 

9.4.0.0 through 9.4.0.11

 

Download and install the latest RUP.

>= 9.4.0.12

CVE-2021-0153

CVE-2021-0154

CVE-2021-0155

CVE-2021-0159

CVE-2021-0188

CVE-2021-0189

CVE-2021-0190

CVE-2021-33060

CVE-2021-33103

CVE-2021-33122

CVE-2021-33123

CVE-2021-33124

CVE-2022-21123

CVE-2022-21125

CVE-2022-21127

CVE-2022-21166

CVE-2022-21180

A200

A2000

F800

F810

H400

H500

H600

H5600

9.5.0.x

9.4.0.x

9.3.0.x 

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

 

Download and install the latest NFP version >= 11.6.1

 

 

 

 

CVE-2022-0004

CVE-2021-21131

A300

A3000

H700

H7000

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

 

CVE-2022-0778

A300

A3000

H700

H7000

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

CVE-2023-23689

A200

A2000

H400

H500

H600

H5600

F800

F810

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

 

CVE-2021-28500

CVE-2021-28501

CVE-2021-28503

CVE-2021-28506

CVE-2021-28507

CVE-2021-28496

PowerScale OneFS with Arista Switch Series DCS-7304 and DCS-7308

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

Download and install Arista EOS >=4.28.3

Note: All PowerScale related CVEs are addressed in the newly released PowerScale OneFS version 9.5.0.0

CVE(s) Addressed Product Affected Version(s) Updated Version(s) Link to Update
CVE-2022-40304
 
PowerScale OneFS
 

9.1.0.0 through 9.1.0.27

9.2.1.0 through 9.2.1.20

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.

>= 9.1.0.28

>= 9.2.1.21

>= 9.4.0.13

>= 9.5.0.0

PowerScale OneFS Downloads Area
 

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2023-25536

PowerScale OneFS

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.

>= 9.4.0.12

CVE-2023-25540

PowerScale OneFS
 

9.4.0.0 through 9.4.0.11

Download and install the latest RUP.

>= 9.4.0.12

 CVE-2020-10735
 
PowerScale OneFS
 

9.4.0.0 through 9.4.0.11

 

Download and install the latest RUP.

>= 9.4.0.12

CVE-2021-0153

CVE-2021-0154

CVE-2021-0155

CVE-2021-0159

CVE-2021-0188

CVE-2021-0189

CVE-2021-0190

CVE-2021-33060

CVE-2021-33103

CVE-2021-33122

CVE-2021-33123

CVE-2021-33124

CVE-2022-21123

CVE-2022-21125

CVE-2022-21127

CVE-2022-21166

CVE-2022-21180

A200

A2000

F800

F810

H400

H500

H600

H5600

9.5.0.x

9.4.0.x

9.3.0.x 

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

 

Download and install the latest NFP version >= 11.6.1

 

 

 

 

CVE-2022-0004

CVE-2021-21131

A300

A3000

H700

H7000

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

 

CVE-2022-0778

A300

A3000

H700

H7000

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

CVE-2023-23689

A200

A2000

H400

H500

H600

H5600

F800

F810

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

 

CVE-2021-28500

CVE-2021-28501

CVE-2021-28503

CVE-2021-28506

CVE-2021-28507

CVE-2021-28496

PowerScale OneFS with Arista Switch Series DCS-7304 and DCS-7308

9.5.0.x

9.4.0.x

9.3.0.x

9.2.1.x

9.2.0.x

9.1.0.x

9.0.0.x

Download and install Arista EOS >=4.28.3

Note: All PowerScale related CVEs are addressed in the newly released PowerScale OneFS version 9.5.0.0

Tijdelijke oplossingen en beperkingen

CVEs Workarounds
CVE-2023-25540 Manually set the permissions of /ifs/.ifsvar/modules/security_check to 755.
#chmod 755 /ifs/.ifsvar/modules/security_check
CVE-2023-25536 Manually remove the self-signed certificates on cluster nodes.
#isi_for_array "test -e /etc/ssl/certs/4a7a8630.0 && rm -f /etc/ssl/certs/4a7a8630.0 || exit 0"

Revisiegeschiedenis

RevisionDateDescription
1.02023-02-28 Initial release
1.12023-03-02Added CVE-2023-25536 and updated Workaround and Mitigation section.
1.22023-05-17Added Arista EOS CVEs

Verwante informatie


Artikeleigenschappen


Getroffen product

PowerScale OneFS, PowerScale Archive A300, PowerScale Archive A3000, PowerScale Hybrid H700, PowerScale Hybrid H7000, Product Security Information

Datum laatst gepubliceerd

01 mrt. 2024

Versie

6

Artikeltype

Dell Security Advisory