DSA-2024-028: Security Update for Dell PowerScale OneFS for Multiple Security Vulnerabilities
Resumo: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Este artigo aplica-se a
Este artigo não se aplica a
Este artigo não está vinculado a nenhum produto específico.
Nem todas as versões do produto estão identificadas neste artigo.
Impacto
High
Dados
| Third-Party Component | CVEs | More information |
|---|---|---|
| Python | CVE-2022-48566 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H  |
| Python | CVE-2022-48560, CVE-2023-41105, CVE-2022-48564, CVE-2023-40217, CVE-2022-45061 | See NVD link below for individual scores for each CVE. http://nvd.nist.gov/ |
| GNU Screen | CVE-2023-24626, CVE-2015-6806, CVE-2009-1214, CVE-2009-1215 | See NVD link below for individual scores for each CVE. http://nvd.nist.gov/ |
| Curl | CVE-2023-38545, CVE-2023-38546 | See NVD link below for individual scores for each CVE. http://nvd.nist.gov/ |
| OpenSSL | CVE-2023-3446 | https://nvd.nist.gov/vuln/detail/CVE-2023-3446 |
| python-certifi | CVE-2023-37920 | https://nvd.nist.gov/vuln/detail/CVE-2023-37920 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-22449 | Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged local malicious user could potentially exploit this vulnerability to gain elevated access. | 6.6 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H |
| CVE-2024-22430 | Dell PowerScale OneFS versions 8.2.x through 9.6.0.x contains an incorrect default permissions vulnerability. A local low privileges malicious user could potentially exploit this vulnerability, leading to denial of service. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2024-22449 | Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged local malicious user could potentially exploit this vulnerability to gain elevated access. | 6.6 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H |
| CVE-2024-22430 | Dell PowerScale OneFS versions 8.2.x through 9.6.0.x contains an incorrect default permissions vulnerability. A local low privileges malicious user could potentially exploit this vulnerability, leading to denial of service. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Produtos afetados e soluções
| CVEs Addressed | Product | Affected Version | Remediated Version | Link |
|---|---|---|---|---|
| CVE-2023-24626, CVE-2015-6806, CVE-2009-1214, CVE-2009-1215, CVE-2024-22430, CVE-2023-3446, CVE-2023-37920 | PowerScale OneFS | Versions 8.2.0 through 8.2.2 | Version 9.5.0.7 or later | PowerScale OneFS Downloads Area |
| CVE-2024-22449, CVE-2024-22430, CVE-2023-38545, CVE-2023-38546, CVE-2023-3446, CVE-2023-24626, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214 | PowerScale OneFS | Versions 9.0.0.0 through 9.4.0.0 | Version 9.5.0.7 or later | PowerScale OneFS Downloads Area |
| CVE-2024-22449, CVE-2024-22430, CVE-2023-41105, CVE-2023-40217, CVE-2023-38546, CVE-2023-38545, CVE-2023-3446, CVE-2023-24626, CVE-2023-37920, CVE-2022-48566, CVE-2022-48564, CVE-2022-48560, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214, CVE-2022-45061 | PowerScale OneFS | Versions 9.5.0.0 through 9.5.0.6 | Version 9.5.0.7 or later, Version 9.7.0.0 or later | PowerScale OneFS Downloads Area |
| CVE-2024-22449, CVE-2024-22430, CVE-2023-41105, CVE-2023-40217, CVE-2023-38546, CVE-2023-38545, CVE-2023-3446, CVE-2023-24626, CVE-2023-37920, CVE-2022-48566, CVE-2022-48564, CVE-2022-48560, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214 | PowerScale OneFS | Version 9.6.1.0 | Version 9.7.0.0 or later | PowerScale OneFS Downloads Area |
| CVEs Addressed | Product | Affected Version | Remediated Version | Link |
|---|---|---|---|---|
| CVE-2023-24626, CVE-2015-6806, CVE-2009-1214, CVE-2009-1215, CVE-2024-22430, CVE-2023-3446, CVE-2023-37920 | PowerScale OneFS | Versions 8.2.0 through 8.2.2 | Version 9.5.0.7 or later | PowerScale OneFS Downloads Area |
| CVE-2024-22449, CVE-2024-22430, CVE-2023-38545, CVE-2023-38546, CVE-2023-3446, CVE-2023-24626, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214 | PowerScale OneFS | Versions 9.0.0.0 through 9.4.0.0 | Version 9.5.0.7 or later | PowerScale OneFS Downloads Area |
| CVE-2024-22449, CVE-2024-22430, CVE-2023-41105, CVE-2023-40217, CVE-2023-38546, CVE-2023-38545, CVE-2023-3446, CVE-2023-24626, CVE-2023-37920, CVE-2022-48566, CVE-2022-48564, CVE-2022-48560, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214, CVE-2022-45061 | PowerScale OneFS | Versions 9.5.0.0 through 9.5.0.6 | Version 9.5.0.7 or later, Version 9.7.0.0 or later | PowerScale OneFS Downloads Area |
| CVE-2024-22449, CVE-2024-22430, CVE-2023-41105, CVE-2023-40217, CVE-2023-38546, CVE-2023-38545, CVE-2023-3446, CVE-2023-24626, CVE-2023-37920, CVE-2022-48566, CVE-2022-48564, CVE-2022-48560, CVE-2015-6806, CVE-2009-1215, CVE-2009-1214 | PowerScale OneFS | Version 9.6.1.0 | Version 9.7.0.0 or later | PowerScale OneFS Downloads Area |
Soluções temporárias e atenuações
| CVE | Workaround and Mitigation |
|---|---|
| CVE-2024-22430 | This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users. This vulnerability can be mitigated on new version of PowerScale OneFS i.e. 9.5 or later by enabling the restricted shell for users. More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub The following workaround is only applicable to a non-compliance mode cluster. If there are users with restricted shell is not enabled, then root user should restrict the permissions for isi_upgrade_force and isi_upgrade_message on every node as follows: #chmod 500 /usr/sbin/isi_upgrade_force #chmod 500 /usr/sbin/isi_upgrade_message Or execute below command on any one node: #isi_for_array chmod 500 /usr/sbin/isi_upgrade_force #isi_for_array chmod 500 /usr/sbin/isi_upgrade_message |
| CVE-2024-22449 | This vulnerability only applies when customers are given ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to users. This vulnerability can be mitigated on new version of PowerScale OneFS i.e. 9.5 or later by enabling the restricted shell for users. More information regarding restricted shell can be found at: OneFS Restricted Shell | Dell Technologies Info Hub |
Histórico de revisão
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2024-02-01 | Initial Release |
Informações relacionadas
Aviso de isenção legal
Produtos afetados
PowerScale OneFSPropriedades do artigo
Número do artigo: 000221707
Tipo de artigo: Dell Security Advisory
Último modificado: 19 set. 2025
Encontre as respostas de outros usuários da Dell para suas perguntas.
Serviços de suporte
Verifique se o dispositivo está coberto pelos serviços de suporte.