DSA-2024-210: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities
Samenvatting: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Dit artikel is van toepassing op
Dit artikel is niet van toepassing op
Dit artikel is niet gebonden aan een specifiek product.
Niet alle productversies worden in dit artikel vermeld.
Impact
High
Gegevens
| Third-Party Component | CVEs | More information |
|---|---|---|
| Sudo | CVE-2023-42465 | https://nvd.nist.gov/vuln/detail/CVE-2023-42465 |
| pyca/cryptography | CVE-2023-23931, CVE-2020-25659 | See the NVD link below for individual scores for each CVE. https://nvd.nist.gov/ |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-29170 | Dell PowerScale OneFS versions 8.2.x through 9.8.0.x contain a use of hard coded credentials vulnerability. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure of network traffic and denial of service. | 8.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-29170 | Dell PowerScale OneFS versions 8.2.x through 9.8.0.x contain a use of hard coded credentials vulnerability. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure of network traffic and denial of service. | 8.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
Getroffen producten en herstel
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Links |
|---|---|---|---|---|
| CVE-2023-42465 | PowerScale OneFS | Version 8.2.x through 9.4.0.17 |
Version 9.4.0.18 or later |
PowerScale OneFS Downloads Area |
| CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 8.2.x through 9.4.0.17 |
Version 9.5.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-42465, CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.5.0.0 through 9.5.0.8 |
Version 9.5.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-42465, CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.6.0.0 through 9.7.0.1 | Version 9.7.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.7.0.2 |
Version 9.7.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2024-29170 | PowerScale OneFS | Version 8.2.x through 9.8.0.x |
N/A | PowerScale OneFS Security Configuration Guide |
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Links |
|---|---|---|---|---|
| CVE-2023-42465 | PowerScale OneFS | Version 8.2.x through 9.4.0.17 |
Version 9.4.0.18 or later |
PowerScale OneFS Downloads Area |
| CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 8.2.x through 9.4.0.17 |
Version 9.5.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-42465, CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.5.0.0 through 9.5.0.8 |
Version 9.5.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-42465, CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.6.0.0 through 9.7.0.1 | Version 9.7.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2023-23931, CVE-2020-25659 | PowerScale OneFS | Version 9.7.0.2 |
Version 9.7.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2024-29170 | PowerScale OneFS | Version 8.2.x through 9.8.0.x |
N/A | PowerScale OneFS Security Configuration Guide |
Note:Any version not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to version 9.7.1.0 or later. We encourage all customers to adopt the Long Term Support (LTS) 2024 version, the 9.7.x code line with the latest maintenance MR 9.7.1.0. For more information about LTS code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary.
Tijdelijke oplossingen en risicobeperking
| CVEs | Mitigations |
|---|---|
| CVE-2023-42465 | This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users. This vulnerability can be mitigated in non-compliance mode cluster and PowerScale OneFS version 9.5 or later by enabling the restricted shell for users. More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub. |
| CVE-2024-29170 | Please refer the section "Change password on backend switches” in the “Security Configuration Guide” document listed under "Administering Your Cluster" at https://www.dell.com/support/kbdoc/000220353 |
Revisiegeschiedenis
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2024-06-03 | Initial Release |
| 2.0 | 2024-06-12 | Updated Workarounds and Mitigations section: CVE-2024-29170 mitigation details |
| 3.0 | 2024-06-19 | Updated for enhanced presentation with no changes to content |
| 4.0 | 2024-07-01 | Updated Affected Products and Remediation section: Version 9.5.1.0 release |
| 5.0 | 2024-07-29 | Updated for enhanced presentation with no changes to content. |
| 6.0 | 2024-10-03 | Updated for enhanced presentation with no changes to content. |
Verwante informatie
Juridische verklaring van afstand
Getroffen producten
PowerScale OneFSArtikeleigenschappen
Artikelnummer: 000225667
Artikeltype: Dell Security Advisory
Laatst aangepast: 03 okt. 2024
Vind antwoorden op uw vragen via andere Dell gebruikers
Support Services
Controleer of uw apparaat wordt gedekt door Support Services.