DSA-2026-047: Security update for Dell ECS and ObjectScale Multiple Vulnerabilities
Resumo: Dell ECS and ObjectScale remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Este artigo aplica-se a
Este artigo não se aplica a
Este artigo não está vinculado a nenhum produto específico.
Nem todas as versões do produto estão identificadas neste artigo.
Impacto
Critical
Dados
| Third-party Component | CVEs | More Information |
| Apache Commons IO | CVE-2024-47554 | https://nvd.nist.gov/vuln/search |
| jackson-core | CVE-2025-52999 | https://nvd.nist.gov/vuln/search |
| kernel-default | CVE-2022-50482, CVE-2022-50497 | https://nvd.nist.gov/vuln/search |
| net/netip | CVE-2024-24790 | https://nvd.nist.gov/vuln/search |
| XStream | CVE-2024-47072 | https://nvd.nist.gov/vuln/search |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2026-22273 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Use of Default Credentials vulnerability in the OS. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2026-22271 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information exposure. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2026-22274 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could potentially exploit this vulnerability to intercept and modify information in transit. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2026-22276 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2026-22275 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Inclusion of Sensitive Information in Source Code vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2026-22273 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Use of Default Credentials vulnerability in the OS. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2026-22271 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information exposure. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2026-22274 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could potentially exploit this vulnerability to intercept and modify information in transit. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| CVE-2026-22276 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2026-22275 | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Inclusion of Sensitive Information in Source Code vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. | 4.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Produtos afetados e soluções
| Product | Affected Versions | Remediated Versions | Link |
| Elastic Cloud Storage (ECS) | Versions 3.8.1.0 through 3.8.1.7 | Version 4.2.0.0 or later | Open a Service Request for an Operating Environment Upgrade and Quote DSA-2026-047 |
| ObjectScale | Versions prior to 4.2.0.0 | Version 4.2.0.0 or later | Open a Service Request for an Operating Environment Upgrade and Quote DSA-2026-047 |
| Product | Affected Versions | Remediated Versions | Link |
| Elastic Cloud Storage (ECS) | Versions 3.8.1.0 through 3.8.1.7 | Version 4.2.0.0 or later | Open a Service Request for an Operating Environment Upgrade and Quote DSA-2026-047 |
| ObjectScale | Versions prior to 4.2.0.0 | Version 4.2.0.0 or later | Open a Service Request for an Operating Environment Upgrade and Quote DSA-2026-047 |
Note:
-
To remediate vulnerabilities, customers running supported affected versions of ECS must upgrade to the latest ObjectScale release 4.2.0.0.
- Dell recommends all customers have their ObjectScale systems upgraded at the earliest opportunity by opening an “Operating Environment Upgrade” Service Request.
- Please visit the Security Update Release Schedule for Supported Versions of ObjectScale (formerly ECS) for more information.
Soluções temporárias e atenuações
| CVE ID | Workaround and Mitigation |
| CVE-2026-22273 | To mitigate this vulnerability, customers on all supported ECS or Objectscale versions, still using default credentials, can apply the password change procedure documented as a 'NOTE' under the ‘Default Node Users’ table in the Dell ObjectScale 4.2.0.0 Security Configuration Guide, without performing an upgrade. |
| CVE-2026-22271 |
To remediate this vulnerability, starting with ObjectScale version 4.2.0.0, the system automatically disables CAS unless it detects active usage. To mitigate this vulnerability, customers who have not upgraded to ObjectScale version 4.2.0.0 yet or are actively using CAS in their setup should refer to the ‘Securing the CAS Protocol’ section in the Dell ObjectScale 4.2.0.0 Security Configuration Guide and apply the recommended steps. |
Histórico de revisão
| Revision | Date | Description |
| 1.0 | 2026-01-16 | Initial Release |
| 2.0 | 2026-01-20 | Minor Update: Aligned CVE-2026-22271 and CVE-2026-22273 mitigations with their descriptions |
| 3.0 | 2026-05-11 | Major Update: Added kernel related CVE-2022-50482 and CVE-2022-50497 |
Informações relacionadas
Aviso de isenção legal
Produtos afetados
ECS, ObjectScale, ECS Appliance, ECS Appliance Hardware Series, ECS Appliance Software with Encryption, ECS Appliance Software without Encryption, ObjectScale Software with Encryption, ObjectScale Software without Encryption
, ObjectScale Appliance Series, ObjectScale Software Series
...
Propriedades do artigo
Número do artigo: 000415880
Tipo de artigo: Dell Security Advisory
Último modificado: 10 mai. 2026
Encontre as respostas de outros usuários da Dell para suas perguntas.
Serviços de suporte
Verifique se o dispositivo está coberto pelos serviços de suporte.