DSA-2025-208: Security Update for Dell PowerScale OneFS Multiple Vulnerabilities
Samenvatting: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Dit artikel is van toepassing op
Dit artikel is niet van toepassing op
Dit artikel is niet gebonden aan een specifiek product.
Niet alle productversies worden in dit artikel vermeld.
Impact
Critical
Gegevens
| Third-party Component | CVEs | More Information |
| Certifi | CVE-2024-39689 | https://nvd.nist.gov/vuln/search |
| FreeBSD | CVE-2024-53580 | https://nvd.nist.gov/vuln/search |
| Python | CVE-2024-6923 | https://nvd.nist.gov/vuln/search |
| Python-future | CVE-2022-40899 | https://nvd.nist.gov/vuln/search |
| OpenSSL | CVE-2024-2511 | https://nvd.nist.gov/vuln/search |
| SQLite | CVE-2023-7104 | https://nvd.nist.gov/vuln/search |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2024-53298 | Dell PowerScale OneFS versions 9.5.0.0 through 9.5.1.2, versions 9.7.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains a missing authorization vulnerability in the NFS export. An unauthenticated attacker with remote access could potentially exploit this vulnerability leading to unauthorized filesystem access. The attacker may be able to read, modify, and delete arbitrary files. This vulnerability is considered critical as it can be leveraged to fully compromise the system. Dell recommends customers to upgrade at the earliest opportunity. | 9.8 | |
| CVE-2025-32753 | Dell PowerScale OneFS, versions 9.5.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains an improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, information disclosure, and information tampering. | 5.3 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2024-53298 | Dell PowerScale OneFS versions 9.5.0.0 through 9.5.1.2, versions 9.7.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains a missing authorization vulnerability in the NFS export. An unauthenticated attacker with remote access could potentially exploit this vulnerability leading to unauthorized filesystem access. The attacker may be able to read, modify, and delete arbitrary files. This vulnerability is considered critical as it can be leveraged to fully compromise the system. Dell recommends customers to upgrade at the earliest opportunity. | 9.8 | |
| CVE-2025-32753 | Dell PowerScale OneFS, versions 9.5.0.0 through 9.7.1.7 and versions 9.8.0.0 through 9.10.0.1, contains an improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, information disclosure, and information tampering. | 5.3 |
Getroffen producten en herstel
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Link |
| CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 | PowerScale OneFS | Versions 9.5.0.0 through 9.10.0.1 | Version 9.10.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 | PowerScale OneFS | Versions 9.7.0.0 through 9.7.1.7 | Version 9.7.1.8 or later | PowerScale OneFS Downloads Area |
| CVE-2024-53298 | PowerScale OneFS | Versions 9.5.0.0 through 9.5.1.2 | Version 9.5.1.3 or later | PowerScale OneFS Downloads Area |
| CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 | PowerScale OneFS | Versions 9.5.0.0 through 9.5.1.4 | Version 9.5.1.4 or later | PowerScale OneFS Downloads Area |
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Link |
| CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 | PowerScale OneFS | Versions 9.5.0.0 through 9.10.0.1 | Version 9.10.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2024-53298, CVE-2025-32753, CVE-2024-39689, CVE-2024-53580, CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 | PowerScale OneFS | Versions 9.7.0.0 through 9.7.1.7 | Version 9.7.1.8 or later | PowerScale OneFS Downloads Area |
| CVE-2024-53298 | PowerScale OneFS | Versions 9.5.0.0 through 9.5.1.2 | Version 9.5.1.3 or later | PowerScale OneFS Downloads Area |
| CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 | PowerScale OneFS | Versions 9.5.0.0 through 9.5.1.4 | Version 9.5.1.4 or later | PowerScale OneFS Downloads Area |
Notes:
- The Affected Products and Remediation table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
- We encourage all customers to adopt the Long-Term Support (LTS) 2025 version which is 9.10.x code line, with the latest maintenance.
- For more information on LTS code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary and Security Update Release Schedule for Supported Versions of Dell PowerScale OneFS.
Tijdelijke oplossingen en risicobeperking
| CVE ID | Workaround and Mitigation |
|
CVE-2024-53298 |
The vulnerability applies to all PowerScale product versions where NFSv3 or NFSv4 is enabled, and an export is configured.
Mitigation To mitigate the issue without disrupting client connections, reload each zone with configured NFS exports using the following CLI command: isi nfs export reload --zone=zone_name The mitigation must be reapplied whenever a zone reactivation occurs typically due to changes in IP address movement (interface state change, network pool re-configuration/rebalancing, nodes are added or removed, etc.)
Impact of Applying the Mitigation When zones are reloaded, new client mounts to affected NFS exports may experience a brief delay (less than 1s) before succeeding, while existing connections remain active and uninterrupted. Active operations are unaffected because NFS clients automatically retry requests during transient unavailability.
Note: A full product upgrade is required for permanent remediation. |
Revisiegeschiedenis
| Revision | Date | Description |
| 1.0 | 2025-06-04 | Initial Release |
| 2.0 | 2025-06-30 | Update to include 9.5.1.4 remediated version and CVE-2022-40899, CVE-2024-2511, CVE-2024-6923, CVE-2023-7104 |
| 3.0 | 2025-07-24 | Update to Workaround and Mitigation; no other changes |
| 4.0 | 2025-08-25 | Updates to Workaround and Mitigation and Additional Information sections |
| 5.0 | 2025-10-22 | Removed SupportAssist |
| 6.0 | 2025-12-05 | Revised the Third-party components table |
Bevestigingen
Dell would like to thank zzcentury from Ubisectech Sirius Team for reporting CVE-2025-32753.
Verwante informatie
Juridische verklaring van afstand
Getroffen producten
PowerScale OneFSArtikeleigenschappen
Artikelnummer: 000326339
Artikeltype: Dell Security Advisory
Laatst aangepast: 05 dec. 2025
Vind antwoorden op uw vragen via andere Dell gebruikers
Support Services
Controleer of uw apparaat wordt gedekt door Support Services.