Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

DSA-2021-180: Dell PowerScale OneFS Security Update for Multiple Vulnerabilities.

Summary: Dell PowerScale OneFS remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.

Impact

Medium

Details

Proprietary Code CVE Description CVSS Base Score CVSS Vector String
CVE-2021-36305 Dell PowerScale OneFS contains an Unsynchronized Access to Shared Data in a Multithreaded Context in SMB CA handling. An authenticated user of SMB on a cluster with CA may potentially exploit this vulnerability, leading to a denial of service over SMB. 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 
Third-party Component CVE More information
FreeBSD CVE-2021-29626 https://nvd.nist.gov/vuln/detail/CVE-2021-29626
In OneFS, a copy-on-write logic failed to invalidate shared memory page mappings between multiple processes which amy allow an unprivileged process to maintain a mapping after it is freed, allowing the process to read private data belonging to other processes or the kernel.
Proprietary Code CVE Description CVSS Base Score CVSS Vector String
CVE-2021-36305 Dell PowerScale OneFS contains an Unsynchronized Access to Shared Data in a Multithreaded Context in SMB CA handling. An authenticated user of SMB on a cluster with CA may potentially exploit this vulnerability, leading to a denial of service over SMB. 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 
Third-party Component CVE More information
FreeBSD CVE-2021-29626 https://nvd.nist.gov/vuln/detail/CVE-2021-29626
In OneFS, a copy-on-write logic failed to invalidate shared memory page mappings between multiple processes which amy allow an unprivileged process to maintain a mapping after it is freed, allowing the process to read private data belonging to other processes or the kernel.
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

CVEs Addressed  Affected Versions Updated Versions Link to Update
CVE-2021-36305 8.2.0, 8.2.1, 9.0.0.x, 9.2.0.x, and 9.1.1.x Upgrade your version of OneFS PowerScale OneFS Downloads Area
8.2.2, 9.1.0.x , and 9.2.1.x Download and install the latest RUP
CVE-2021-29626 8.2.0, 8.2.1, 9.0.0.x, 9.2.0.x, and 9.1.1.x Upgrade your version of OneFS
8.2.x, 9.1.0.x , and 9.2.1.x Download and install the latest RUP
CVEs Addressed  Affected Versions Updated Versions Link to Update
CVE-2021-36305 8.2.0, 8.2.1, 9.0.0.x, 9.2.0.x, and 9.1.1.x Upgrade your version of OneFS PowerScale OneFS Downloads Area
8.2.2, 9.1.0.x , and 9.2.1.x Download and install the latest RUP
CVE-2021-29626 8.2.0, 8.2.1, 9.0.0.x, 9.2.0.x, and 9.1.1.x Upgrade your version of OneFS
8.2.x, 9.1.0.x , and 9.2.1.x Download and install the latest RUP

Workarounds & Mitigations

  Workarounds or Mitigations
CVE-2021-36305 Disabling Continuous Availability (CA) on all SMB shares that has it enabled prevents the issue.
CVE-2021-29626 Disallow ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_LOGIN_SSH privileges to non-administrative users.

Revision History

RevisionDateDescription
1.030 Sep 2021 Initial Release

Related Information

Affected Products

PowerScale OneFS, Product Security Information
Article Properties
Article Number: 000192046
Article Type: Dell Security Advisory
Last Modified: 15 Feb 2022
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.