DSA-2022-172: Dell PowerScale OneFS Security Update for Multiple Vulnerabilities

详细文章

影响

详情

受影响的产品和补救措施

解决方法和缓解措施

修订历史记录

摘要: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

本文适用于本文不适用于本文并非针对某种特定的产品。本文并非包含所有产品版本。

High

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2022-34369	Dell PowerScale OneFS versions 9.0.0 up to and including 9.1.0.20, 9.2.1.13, 9.3.0.6, and 9.4.0.3 contain an insertion of sensitive information in log files vulnerability. A remote unprivileged attacker may potentially exploit this vulnerability, leading to exposure of this sensitive data.	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34371	Dell PowerScale OneFS versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.3 contain an unprotected transport of credentials vulnerability. A malicious unprivileged network attacker may potentially exploit this vulnerability, leading to full system compromise.	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34378	Dell PowerScale OneFS versions 9.0.0 up to and including 9.1.0.20, 9.2.1.13, 9.3.0.6, and 9.4.0.3 contain a relative path traversal vulnerability. A low privileged local attacker may potentially exploit this vulnerability, leading to denial of service.	5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2022-34369	Dell PowerScale OneFS versions 9.0.0 up to and including 9.1.0.20, 9.2.1.13, 9.3.0.6, and 9.4.0.3 contain an insertion of sensitive information in log files vulnerability. A remote unprivileged attacker may potentially exploit this vulnerability, leading to exposure of this sensitive data.	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34371	Dell PowerScale OneFS versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.3 contain an unprotected transport of credentials vulnerability. A malicious unprivileged network attacker may potentially exploit this vulnerability, leading to full system compromise.	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34378	Dell PowerScale OneFS versions 9.0.0 up to and including 9.1.0.20, 9.2.1.13, 9.3.0.6, and 9.4.0.3 contain a relative path traversal vulnerability. A low privileged local attacker may potentially exploit this vulnerability, leading to denial of service.	5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Dell Technologies 建议所有客户考虑 CVSS 基本分数以及任何相关的时间和环境分数，这可能会影响与特定安全漏洞相关的潜在严重程度。

CVEs Addressed	Product	Affected Versions	Updated Versions	Link to Update
CVE-2022-34369	Dell PowerScale OneFS	9.1.0.0 through 9.1.0.20 9.2.1.0 through 9.2.1.13 9.3.0.0 through 9.3.0.6 9.4.0.0 through 9.4.0.3 Download and install the latest RUP and follow the additional steps in "Workarounds and Mitigations".	>= 9.1.0.21 >= 9.2.1.14 >= 9.3.0.7 >= 9.4.0.4	PowerScale OneFS Downloads Area
CVE-2022-34369	Dell PowerScale OneFS	Any other version	Upgrade your version of PowerScale OneFS
CVE-2022-34371	Dell PowerScale OneFS	9.1.0.0 through 9.1.0.19 9.2.1.0 through 9.2.1.12 9.3.0.0 through 9.3.0.6 9.4.0.0 through 9.4.0.3 Download and install the latest RUP and follow the additional steps in "Workarounds and Mitigations".	>= 9.1.0.20 >= 9.2.1.13 >= 9.3.0.7 >= 9.4.0.4
CVE-2022-34371	Dell PowerScale OneFS	Any other version	Upgrade your version of PowerScale OneFS
CVE-2022-34378	Dell PowerScale OneFS	9.1.0.0 through 9.1.0.20 9.2.1.0 through 9.2.1.13 9.3.0.0 through 9.3.0.6 9.4.0.0 through 9.4.0.3 Download and install the latest RUP and follow the additional steps in "Workarounds and Mitigations".	>= 9.1.0.21 >= 9.2.1.14 >= 9.3.0.7 >= 9.4.0.4
CVE-2022-34378	Dell PowerScale OneFS	Any other version	Upgrade your version of PowerScale OneFS

CVEs Addressed	Product	Affected Versions	Updated Versions	Link to Update
CVE-2022-34369	Dell PowerScale OneFS	9.1.0.0 through 9.1.0.20 9.2.1.0 through 9.2.1.13 9.3.0.0 through 9.3.0.6 9.4.0.0 through 9.4.0.3 Download and install the latest RUP and follow the additional steps in "Workarounds and Mitigations".	>= 9.1.0.21 >= 9.2.1.14 >= 9.3.0.7 >= 9.4.0.4	PowerScale OneFS Downloads Area
CVE-2022-34369	Dell PowerScale OneFS	Any other version	Upgrade your version of PowerScale OneFS
CVE-2022-34371	Dell PowerScale OneFS	9.1.0.0 through 9.1.0.19 9.2.1.0 through 9.2.1.12 9.3.0.0 through 9.3.0.6 9.4.0.0 through 9.4.0.3 Download and install the latest RUP and follow the additional steps in "Workarounds and Mitigations".	>= 9.1.0.20 >= 9.2.1.13 >= 9.3.0.7 >= 9.4.0.4
CVE-2022-34371	Dell PowerScale OneFS	Any other version	Upgrade your version of PowerScale OneFS
CVE-2022-34378	Dell PowerScale OneFS	9.1.0.0 through 9.1.0.20 9.2.1.0 through 9.2.1.13 9.3.0.0 through 9.3.0.6 9.4.0.0 through 9.4.0.3 Download and install the latest RUP and follow the additional steps in "Workarounds and Mitigations".	>= 9.1.0.21 >= 9.2.1.14 >= 9.3.0.7 >= 9.4.0.4
CVE-2022-34378	Dell PowerScale OneFS	Any other version	Upgrade your version of PowerScale OneFS

CVE	Additional Mitigation
CVE-2022-34369	In addition to upgrading your version of Dell PowerScale OneFS or downloading and installing the latest RUP, Dell always recommends to use a secure/encrypted transport when sending logs to Dell. Dell recommends to change passwords for enabled accounts in the System zone file provider. Which can be identified via: isi auth users list --provider=lsa-file-provider:System -v \| grep -e "Name: " -e "Enabled: " \| grep -B 1 "Enabled: Yes"
CVE-2022-34371	In addition to upgrading your version of Dell PowerScale OneFS or downloading and installing the latest RUP, Dell always recommends to use a secure/encrypted transport when sending logs to Dell. Dell recommends to change passwords for enabled accounts in the System zone file provider. Which can be identified via: isi auth users list --provider=lsa-file-provider:System -v \| grep -e "Name: " -e "Enabled: " \| grep -B 1 "Enabled: Yes"

Revision	Date	Description
1.0	2022-08-04	Initial Release

PowerScale OneFS, Product Security Information

文章编号: 000202171

文章类型: Dell Security Advisory

上次修改时间: 08 6月 2023