DSA-2022-002: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities
Сводка: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that may be exploited by malicious users to compromise the affected system.
Данная статья применяется к
Данная статья не применяется к
Эта статья не привязана к какому-либо конкретному продукту.
В этой статье указаны не все версии продуктов.
Влияние
High
Подробные сведения
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-22561 | Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to compromised accounts. | 8.1 | CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
| CVE-2022-22549 | Dell PowerScale OneFS, 8.2.x-9.3.x, contain an Improper Certificate Validation. A unauthenticated remote attacker may potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2022-22559 | Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker may exploit this vulnerability, leading to the potential for information disclosure. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-22562 | Dell PowerScale OneFS, versions 8.2.0-9.2.1.x, contain an improper handling of missing values vulnerability. An unauthenticated network attacker may potentially exploit this denial-of-service vulnerability. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-22560 | Dell EMC PowerScale OneFS versions 8.1.x-9.2.1.x contain hard coded credentials. This may allow a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker may exploit this vulnerability to take the switch offline. | 7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
| CVE-2022-22550 | Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain a password disclosure vulnerability. An unprivileged local attacker may potentially exploit this vulnerability, leading to account takeover. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-22565 | Dell PowerScale OneFS, versions 9.0.0-9.3.0 contain an improper authorization of index containing sensitive information. An authenticated and privileged user may potentially exploit this vulnerability, leading to disclosure or modification of sensitive data. | 4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
| Third-party Component | CVEs | More information |
| GNU gettext | CVE-2018-18751 | https://nvd.nist.gov/vuln/detail/CVE-2018-18751 https://www.gnu.org/software/gettext/ |
| OpenSSL | CVE-2021-3712 | https://nvd.nist.gov/vuln/detail/CVE-2021-3712 https://www.openssl.org/news/secadv/20210824.txt |
| Apache | Multiple | https://httpd.apache.org/security/vulnerabilities_24.html |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-22561 | Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to compromised accounts. | 8.1 | CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
| CVE-2022-22549 | Dell PowerScale OneFS, 8.2.x-9.3.x, contain an Improper Certificate Validation. A unauthenticated remote attacker may potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2022-22559 | Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker may exploit this vulnerability, leading to the potential for information disclosure. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-22562 | Dell PowerScale OneFS, versions 8.2.0-9.2.1.x, contain an improper handling of missing values vulnerability. An unauthenticated network attacker may potentially exploit this denial-of-service vulnerability. | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-22560 | Dell EMC PowerScale OneFS versions 8.1.x-9.2.1.x contain hard coded credentials. This may allow a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker may exploit this vulnerability to take the switch offline. | 7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
| CVE-2022-22550 | Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain a password disclosure vulnerability. An unprivileged local attacker may potentially exploit this vulnerability, leading to account takeover. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-22565 | Dell PowerScale OneFS, versions 9.0.0-9.3.0 contain an improper authorization of index containing sensitive information. An authenticated and privileged user may potentially exploit this vulnerability, leading to disclosure or modification of sensitive data. | 4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
| Third-party Component | CVEs | More information |
| GNU gettext | CVE-2018-18751 | https://nvd.nist.gov/vuln/detail/CVE-2018-18751 https://www.gnu.org/software/gettext/ |
| OpenSSL | CVE-2021-3712 | https://nvd.nist.gov/vuln/detail/CVE-2021-3712 https://www.openssl.org/news/secadv/20210824.txt |
| Apache | Multiple | https://httpd.apache.org/security/vulnerabilities_24.html |
Затронутые продукты и исправление
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-22561 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22549 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22559 | n/a | Upgrade your version of OneFS | |
| 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22562 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2022-22560 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2022-22550 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2018-18751 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2021-3712 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| Apache: Multiple | 8.2.x, 9.0.0.x, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22565 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-22561 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | PowerScale OneFS Downloads Area |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22549 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22559 | n/a | Upgrade your version of OneFS | |
| 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22562 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2022-22560 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2022-22550 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2018-18751 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| CVE-2021-3712 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP | ||
| Apache: Multiple | 8.2.x, 9.0.0.x, 9.1.1.x, 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, 9.3.0.x | Download and install the latest RUP | ||
| CVE-2022-22565 | 8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x | Upgrade your version of OneFS | |
| 9.1.0.x, 9.2.1.x, and 9.3.0.x | Download and install the latest RUP |
Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.
История изменений
| Revision | Date | Description |
| 1.0 | 2022-01-31 | Initial Release |
Связанная информация
Правовая оговорка
Затронутые продукты
PowerScale OneFS, Product Security InformationСвойства статьи
Номер статьи: 000195815
Тип статьи: Dell Security Advisory
Последнее изменение: 31 Jan 2022
Получите ответы на свои вопросы от других пользователей Dell
Услуги технической поддержки
Проверьте, распространяются ли на ваше устройство услуги технической поддержки.