DSA-2021-142: Dell PowerScale OneFS Security Update for Multiple Vulnerabilities
摘要: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may potentially be exploited by malicious users to compromise the affected system.
本文适用于
本文不适用于
本文并非针对某种特定的产品。
本文并非包含所有产品版本。
影响
Critical
详情
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-21568 | Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an insufficient logging vulnerability. An authenticated user with ISI_PRIV_LOGIN_PAPI may make un-audited and un-trackable configuration changes to settings that their roles have privileges to change. | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
| CVE-2021-21592 | Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x improperly handle an exceptional condition. A remote low privileged user may potentially exploit this vulnerability, leading to unauthorized information disclosure. | 3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CVE-2021-21594 | Dell PowerScale OneFS versions 8.2.2 - 9.1.0.x contain a use of get request method with sensitive query strings vulnerability. It may lead to potential disclosure of sensitive data. Dell recommends upgrading at your earliest opportunity. | 8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H |
| CVE-2021-21595 | Dell EMC PowerScale OneFS versions 8.2.x - 9.1.1.x contain an improper neutralization of special elements used in an OS command. This vulnerability may allow the compadmin user to elevate privileges. This only impacts Smartlock WORM compliance mode clusters as a critical vulnerability and Dell recommends to update or upgrade at the earliest opportunity. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2021-21599 | Dell EMC PowerScale OneFS versions 8.2.x - 9.2.1.x contain an OS command injection vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to escalate privileges and escape the compliance guarantees. This only impacts Smartlock WORM compliance mode clusters as a critical vulnerability and Dell recommends to update or upgrade at the earliest opportunity. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2021-36278 | Dell EMC PowerScale OneFS versions 8.2.x, 9.1.0.x, and 9.1.1.1 contain a sensitive information exposure vulnerability in log files. A local malicious user with ISI_PRIV_LOGIN_SSH, ISI_PRIV_LOGIN_CONSOLE, or ISI_PRIV_SYS_SUPPORT privileges may exploit this vulnerability to access sensitive information. If any third-party consumes those logs, the same sensitive information is available to those systems as well. Dell recommends to update or upgrade at the earliest opportunity. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36279 | Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privileged information about the cluster. | 7.8 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| CVE-2021-36281 | Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment vulnerability. A low privileged authenticated user may potentially exploit this vulnerability to escalate privileges. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36282 | Dell EMC PowerScale OneFS versions 8.2.x - 9.1.0.x contain a use of uninitialized resource vulnerability. This may potentially allow an authenticated user with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to gain access up to 24 bytes of data within the /ifs kernel stack under certain conditions. | 2.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2021-21568 | Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an insufficient logging vulnerability. An authenticated user with ISI_PRIV_LOGIN_PAPI may make un-audited and un-trackable configuration changes to settings that their roles have privileges to change. | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
| CVE-2021-21592 | Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x improperly handle an exceptional condition. A remote low privileged user may potentially exploit this vulnerability, leading to unauthorized information disclosure. | 3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CVE-2021-21594 | Dell PowerScale OneFS versions 8.2.2 - 9.1.0.x contain a use of get request method with sensitive query strings vulnerability. It may lead to potential disclosure of sensitive data. Dell recommends upgrading at your earliest opportunity. | 8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H |
| CVE-2021-21595 | Dell EMC PowerScale OneFS versions 8.2.x - 9.1.1.x contain an improper neutralization of special elements used in an OS command. This vulnerability may allow the compadmin user to elevate privileges. This only impacts Smartlock WORM compliance mode clusters as a critical vulnerability and Dell recommends to update or upgrade at the earliest opportunity. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2021-21599 | Dell EMC PowerScale OneFS versions 8.2.x - 9.2.1.x contain an OS command injection vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to escalate privileges and escape the compliance guarantees. This only impacts Smartlock WORM compliance mode clusters as a critical vulnerability and Dell recommends to update or upgrade at the earliest opportunity. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
| CVE-2021-36278 | Dell EMC PowerScale OneFS versions 8.2.x, 9.1.0.x, and 9.1.1.1 contain a sensitive information exposure vulnerability in log files. A local malicious user with ISI_PRIV_LOGIN_SSH, ISI_PRIV_LOGIN_CONSOLE, or ISI_PRIV_SYS_SUPPORT privileges may exploit this vulnerability to access sensitive information. If any third-party consumes those logs, the same sensitive information is available to those systems as well. Dell recommends to update or upgrade at the earliest opportunity. | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36279 | Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privileged information about the cluster. | 7.8 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| CVE-2021-36281 | Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment vulnerability. A low privileged authenticated user may potentially exploit this vulnerability to escalate privileges. | 7.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2021-36282 | Dell EMC PowerScale OneFS versions 8.2.x - 9.1.0.x contain a use of uninitialized resource vulnerability. This may potentially allow an authenticated user with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to gain access up to 24 bytes of data within the /ifs kernel stack under certain conditions. | 2.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
受影响的产品和补救措施
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2021-21568 | 9.0.0.x and 9.2.0 | Upgrade your version of OneFS | PowerScale Download Area Additional Guidance: In addition to upgrading your version of OneFS or downloading and installing the latest RUP, Dell recommends changing the root password for PowerScale. If the root account is used by clients (for example, backup software, scripting), the clients must be updated with the new password. If the root password for PowerScale was used as a password elsewhere, Dell recommends changing these passwords and does not recommend using the same password on multiple accounts and programs. |
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2021-21592 | 9.0.0.x and 9.2.0 | Upgrade your version of OneFS | |
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2021-21594 | 9.0.0.x | Upgrade your version of OneFS | |
| 8.2.2 and 9.1.0.x | Download and install the latest RUP | ||
| CVE-2021-21595 | 9.0.0.x and 9.2.0 | Upgrade your version of OneFS | |
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2021-21599 | 9.0.0.x and 9.2.0 | Upgrade your version of OneFS | |
| 8.2.2 and 9.1.0.x | Download and install the latest RUP | ||
| CVE-2021-36278 | 8.2.x, 9.0.0.x, and 9.2.0 | Upgrade your version of OneFS | |
| 8.2.2 and 9.1.0.x | Download and install the latest RUP | ||
| CVE-2021-36279 | 9.0.0.x and 9.2.0 | Upgrade your version of OneFS | |
| 8.2.2 and 9.1.0.x | Download and install the latest RUP | ||
| CVE-2021-36281 | 9.0.0.x and 9.2.0 | Upgrade your version of OneFS | |
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2021-36282 | 9.0.0.x and 9.2.0 | Upgrade your version of OneFS | |
| 8.2.2 and 9.1.0.x | Download and install the latest RUP |
| CVEs Addressed | Affected Versions | Updated Versions | Link to Update |
| CVE-2021-21568 | 9.0.0.x and 9.2.0 | Upgrade your version of OneFS | PowerScale Download Area Additional Guidance: In addition to upgrading your version of OneFS or downloading and installing the latest RUP, Dell recommends changing the root password for PowerScale. If the root account is used by clients (for example, backup software, scripting), the clients must be updated with the new password. If the root password for PowerScale was used as a password elsewhere, Dell recommends changing these passwords and does not recommend using the same password on multiple accounts and programs. |
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2021-21592 | 9.0.0.x and 9.2.0 | Upgrade your version of OneFS | |
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2021-21594 | 9.0.0.x | Upgrade your version of OneFS | |
| 8.2.2 and 9.1.0.x | Download and install the latest RUP | ||
| CVE-2021-21595 | 9.0.0.x and 9.2.0 | Upgrade your version of OneFS | |
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2021-21599 | 9.0.0.x and 9.2.0 | Upgrade your version of OneFS | |
| 8.2.2 and 9.1.0.x | Download and install the latest RUP | ||
| CVE-2021-36278 | 8.2.x, 9.0.0.x, and 9.2.0 | Upgrade your version of OneFS | |
| 8.2.2 and 9.1.0.x | Download and install the latest RUP | ||
| CVE-2021-36279 | 9.0.0.x and 9.2.0 | Upgrade your version of OneFS | |
| 8.2.2 and 9.1.0.x | Download and install the latest RUP | ||
| CVE-2021-36281 | 9.0.0.x and 9.2.0 | Upgrade your version of OneFS | |
| 8.2.2, 9.1.0.x, and 9.2.1.x | Download and install the latest RUP | ||
| CVE-2021-36282 | 9.0.0.x and 9.2.0 | Upgrade your version of OneFS | |
| 8.2.2 and 9.1.0.x | Download and install the latest RUP |
解决方法和缓解措施
In addition to applying the Workaround and Mitigations below, Dell recommends changing the root password for PowerScale. If the root account is used by clients (for example, backup software, scripting), the clients must be updated with the new password. If the root password for PowerScale was used as a password elsewhere, Dell recommends changing these passwords and does not recommend using the same password on multiple accounts and programs.
| Workarounds or mitigations | |
| CVE-2021-21568 | Disallow ISI_PRIV_LOGIN_PAPI privileges to non-administrative users. |
| CVE-2021-21592 | None |
| CVE-2021-21594 | None |
| CVE-2021-21595 | This only applies to clusters running in WORM Smartlock Compliance mode. |
| CVE-2021-21599 | This only applies to clusters running in WORM Smartlock Compliance mode. |
| CVE-2021-36278 | Disallow ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_LOGIN_SSH privileges to non-administrative users. |
| CVE-2021-36279 | Disallow ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_LOGIN_SSH privileges to non-administrative users. OR As root for clusters not in Smartlock WORM Compliance Mode the following remediates the issue
|
| CVE-2021-36281 |
|
| CVE-2021-36282 | Disallow ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_LOGIN_SSH privileges to non-administrative users. |
修订历史记录
| Revision | Date | Description |
| 1.0 | 2021-08-10 | Initial Release |
| 2.0 | 2021-08-26 | CVE-2021-36280 due to partial fix, complete fix is in the next DSA-2021-158 |
| 2.1 | 2022-03-11 | Updated CVE-2021-36278 description for clarity. |
| 3.0 | 2022-04-13 | Updated CVE-2021-36278 score and provided additional remediation guidance. |
相关信息
法律免责声明
受影响的产品
PowerScale OneFS, Product Security Information文章属性
文章编号: 000190408
文章类型: Dell Security Advisory
上次修改时间: 13 4月 2022
从其他戴尔用户那里查找问题的答案
支持服务
检查您的设备是否在支持服务涵盖的范围内。