DSA-2022-112: DELL PowerFlex Security Update for Multiple Vulnerabilities

Сводка: Remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Данная статья применяется к Данная статья не применяется к Эта статья не привязана к какому-либо конкретному продукту. В этой статье указаны не все версии продуктов.
Ознакомьтесь с другими ресурсами

Влияние

High

Подробные сведения

Component CVEs More Information
PowerFlex components using OpenSSL CVE-2021-3711,
CVE-2021-3712,
CVE-2022-0778		 OpenSSL is used by PowerFlex for Secure communication between its different components.
PowerFlex Gateway using Spring4Shell CVE-2022-22965 Spring article: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement This hyperlink is taking you to a website outside of Dell Technologies.
PowerFlex Presentation server and Gateway using Java or OpenJDK CVE-2022-21248,
CVE-2022-21282,
CVE-2022-21283,
CVE-2022-21293,
CVE-2022-21294,
CVE-2022-21296		 Oracle article: https://www.oracle.com/security-alerts/cpujan2022.html#AppendixJAVA This hyperlink is taking you to a website outside of Dell Technologies.

 
PowerFlex Custom node R6525 CVE-2021-26339,
CVE-2021-26373,
CVE-2021-26347,
CVE-2021-26376,
CVE-2021-26375,
CVE-2021-26378,
CVE-2021-26372,
CVE-2021-26348,
CVE-2021-26342,
CVE-2021-26388,
CVE-2021-26349, CVE-2021-26364, CVE-2021-26312, CVE-2021-26350		 Dell article: https://www.dell.com/support/kbdoc/en-vn/000199269/dsa-2022-126-dell-poweredge-server-security-updates-for-amd-server-vulnerabilities
 
Component CVEs More Information
PowerFlex components using OpenSSL CVE-2021-3711,
CVE-2021-3712,
CVE-2022-0778		 OpenSSL is used by PowerFlex for Secure communication between its different components.
PowerFlex Gateway using Spring4Shell CVE-2022-22965 Spring article: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement This hyperlink is taking you to a website outside of Dell Technologies.
PowerFlex Presentation server and Gateway using Java or OpenJDK CVE-2022-21248,
CVE-2022-21282,
CVE-2022-21283,
CVE-2022-21293,
CVE-2022-21294,
CVE-2022-21296		 Oracle article: https://www.oracle.com/security-alerts/cpujan2022.html#AppendixJAVA This hyperlink is taking you to a website outside of Dell Technologies.

 
PowerFlex Custom node R6525 CVE-2021-26339,
CVE-2021-26373,
CVE-2021-26347,
CVE-2021-26376,
CVE-2021-26375,
CVE-2021-26378,
CVE-2021-26372,
CVE-2021-26348,
CVE-2021-26342,
CVE-2021-26388,
CVE-2021-26349, CVE-2021-26364, CVE-2021-26312, CVE-2021-26350		 Dell article: https://www.dell.com/support/kbdoc/en-vn/000199269/dsa-2022-126-dell-poweredge-server-security-updates-for-amd-server-vulnerabilities
 
Dell рекомендует всем клиентам учитывать как базовую оценку CVSS, так и любые временные и обусловленные средой оценки, которые могут повлиять на потенциальную степень серьезности конкретной уязвимости.

Затронутые продукты и исправление

CVEs Addressed Product Affected Versions Updated Versions Link to Update
CVE-2021-3711, CVE-2021-3712 CVE-2022-0778 OpenSSL used by PowerFlex Software
 		 PowerFlex versions before 3.6.0.4 or latest SVM patch bundle. PowerFlex 3.6.0.4 OVA includes this updated OpenSSL package
SVM Patch bundle from August 4, 2022		 PowerFlex_3.6.0.4_107_Complete_Software.zip (with latest OVA)
SVM_OS_Patching_package_04082022.zip (for use with manual SVM upgrade)
For customer managed operating system, must upgrade with package openssl-libs-1.0.2k-24 based package, an example for CentOS7.9: openssl-libs-1.0.2k-24.el7_9.x86_64.rpm.
CVE-2022-22965 PowerFlex Software PowerFlex versions before 3.6.0.4 or 3.5.1.6 PowerFlex 3.6.0.4
PowerFlex 3.5.1.6 and later versions		 PowerFlex_3.6.0.4_107_Complete_Software.zip (with latest PowerFlex Gateway rpm)
PowerFlex_3.5.1.6_110_Complete_Software.zip (with latest PowerFlex Gateway rpm)
CVE-2021-21248 CVE-2021-21282 CVE-2021-21283 CVE-2021-21293 CVE-2021-21294 CVE-2021-21296 PowerFlex Software PowerFlex versions before 3.6.0.4 PowerFlex 3.6.0.4 and later versions PowerFlex_3.6.0.4_107_Complete_Software.zip (with latest OVA)
For customer managed operating system, self-upgrade is required with package java-1.8.0-openjdk-headless-1.8.0.322 based package for the compatible operating system or the java compatible version, an example for CentOS7.9: java-1.8.0-openjdk-headless-1.8.0.322.b06-1.el7_9
Guidelines: Java upgrade prerequisites.
 
CVE-2021-26373
CVE-2021-26339 CVE-2021-26344 CVE-2021-26347 CVE-2021-26376 CVE-2021-26375 CVE-2021-26378 CVE-2021-26372 CVE-2021-26348 CVE-2021-26342 CVE-2021-26388 CVE-2021-26349 CVE-2021-26328		 R6525 custom node
 		 BIOS Versions before 2.6.6 for AMD
 		 AMD BIOS: 2.6.6 Downloads (when upgrade is with using OME)
Documents (when manual upgrade)
 
CVEs Addressed Product Affected Versions Updated Versions Link to Update
CVE-2021-3711, CVE-2021-3712 CVE-2022-0778 OpenSSL used by PowerFlex Software
 		 PowerFlex versions before 3.6.0.4 or latest SVM patch bundle. PowerFlex 3.6.0.4 OVA includes this updated OpenSSL package
SVM Patch bundle from August 4, 2022		 PowerFlex_3.6.0.4_107_Complete_Software.zip (with latest OVA)
SVM_OS_Patching_package_04082022.zip (for use with manual SVM upgrade)
For customer managed operating system, must upgrade with package openssl-libs-1.0.2k-24 based package, an example for CentOS7.9: openssl-libs-1.0.2k-24.el7_9.x86_64.rpm.
CVE-2022-22965 PowerFlex Software PowerFlex versions before 3.6.0.4 or 3.5.1.6 PowerFlex 3.6.0.4
PowerFlex 3.5.1.6 and later versions		 PowerFlex_3.6.0.4_107_Complete_Software.zip (with latest PowerFlex Gateway rpm)
PowerFlex_3.5.1.6_110_Complete_Software.zip (with latest PowerFlex Gateway rpm)
CVE-2021-21248 CVE-2021-21282 CVE-2021-21283 CVE-2021-21293 CVE-2021-21294 CVE-2021-21296 PowerFlex Software PowerFlex versions before 3.6.0.4 PowerFlex 3.6.0.4 and later versions PowerFlex_3.6.0.4_107_Complete_Software.zip (with latest OVA)
For customer managed operating system, self-upgrade is required with package java-1.8.0-openjdk-headless-1.8.0.322 based package for the compatible operating system or the java compatible version, an example for CentOS7.9: java-1.8.0-openjdk-headless-1.8.0.322.b06-1.el7_9
Guidelines: Java upgrade prerequisites.
 
CVE-2021-26373
CVE-2021-26339 CVE-2021-26344 CVE-2021-26347 CVE-2021-26376 CVE-2021-26375 CVE-2021-26378 CVE-2021-26372 CVE-2021-26348 CVE-2021-26342 CVE-2021-26388 CVE-2021-26349 CVE-2021-26328		 R6525 custom node
 		 BIOS Versions before 2.6.6 for AMD
 		 AMD BIOS: 2.6.6 Downloads (when upgrade is with using OME)
Documents (when manual upgrade)
 

История изменений

RevisionDateDescription
1.02022-05-02Initial Draft for review
2.02022-05-03Clarified some OpenSSL upgrade info
3.02022-05-06Updated CVEs for AMD issue based on new AMD-SN

Связанная информация

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Правовая оговорка

Затронутые продукты

PowerFlex custom node, PowerFlex custom node, PowerFlex custom node R650, PowerFlex custom node R6525

Продукты

Product Security Information
Свойства статьи
Номер статьи: 000199942
Тип статьи: Dell Security Advisory
Последнее изменение: 05 Nov 2025
Получите ответы на свои вопросы от других пользователей Dell
Услуги технической поддержки
Проверьте, распространяются ли на ваше устройство услуги технической поддержки.