DSA-2023-102: Dell EMC PowerScale OneFS Security Updates for Multiple Security Vulnerabilities
Summary: Dell EMC PowerScale OneFS remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
Critical
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2023-25941 | Dell PowerScale OneFS versions 8.2.x-9.5.0.x contain an elevation of privilege vulnerability. A low-privileged local attacker could potentially exploit this vulnerability, leading to Denial of service, escalation of privileges, and information disclosure. This vulnerability breaks the compliance mode guarantee. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2023-25940 | Dell PowerScale OneFS version 9.5.0.0 contains improper link resolution before file access vulnerability in isi_gather_info. A high privileged local attacker could potentially exploit this vulnerability, leading to system takeover and it breaks the compliance mode guarantees. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2023-25942 | Dell PowerScale OneFS versions 8.2.x-9.4.x contain an uncontrolled resource consumption vulnerability. A malicious network user with low privileges could potentially exploit this vulnerability in SMB, leading to a potential denial of service. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Third-Party Component | CVEs | CVSS Vector String |
| Apache | CVE-2022-26377 CVE-2022-28330 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556 CVE-2022-31813 |
See NVD  for more details.See NVD for more details.See NVD for more details.See NVD for more details.See NVD for more details.See NVD for more details.See NVD for more details.See NVD for more details. |
| FreeBSD | CVE-2019-15876 | See NVD for more details. |
Note: CVE-2023-25941 and CVE-2023-25940 are only applicable to compliance mode clusters and both are business critical as it breaks compliance mode guarantee.
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2023-25941 | Dell PowerScale OneFS versions 8.2.x-9.5.0.x contain an elevation of privilege vulnerability. A low-privileged local attacker could potentially exploit this vulnerability, leading to Denial of service, escalation of privileges, and information disclosure. This vulnerability breaks the compliance mode guarantee. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2023-25940 | Dell PowerScale OneFS version 9.5.0.0 contains improper link resolution before file access vulnerability in isi_gather_info. A high privileged local attacker could potentially exploit this vulnerability, leading to system takeover and it breaks the compliance mode guarantees. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2023-25942 | Dell PowerScale OneFS versions 8.2.x-9.4.x contain an uncontrolled resource consumption vulnerability. A malicious network user with low privileges could potentially exploit this vulnerability in SMB, leading to a potential denial of service. | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Third-Party Component | CVEs | CVSS Vector String |
| Apache | CVE-2022-26377 CVE-2022-28330 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556 CVE-2022-31813 |
See NVD for more details. See NVD for more details.See NVD for more details.See NVD for more details.See NVD for more details.See NVD for more details.See NVD for more details.See NVD for more details. |
| FreeBSD | CVE-2019-15876 | See NVD for more details. |
Note: CVE-2023-25941 and CVE-2023-25940 are only applicable to compliance mode clusters and both are business critical as it breaks compliance mode guarantee.
Affected Products & Remediation
| CVEs Addressed | Product | Affected Versions | Updated Versions | Link to Update |
|
CVE-2022-26377
CVE-2022-28330
CVE-2022-28614
CVE-2022-28615
CVE-2022-29404
CVE-2022-30522
CVE-2022-30556
CVE-2022-31813
|
PowerScale OneFS | 9.1.0.0 through 9.1.0.27 9.2.1.0 through 9.2.1.20 9.4.0.0 through 9.4.0.12 |
Download and install the latest RUP. >= 9.1.0.28 >= 9.2.1.21 >= 9.4.0.13 |
PowerScale OneFS Downloads Area |
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2023-25941 |
PowerScale OneFS | 9.2.1.0 through 9.2.1.21 9.4.0.0 through 9.4.0.12 9.5.0.0 through 9.5.0.1 |
Download and install the latest RUP. >= 9.2.1.22 >= 9.4.0.13 >= 9.5.0.2 |
|
| 9.1.0.0 through 9.1.0.28 | Upgrade your version of PowerScale OneFS to >= 9.4.0.13. | |||
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2023-25940 | PowerScale OneFS | 9.5.0.0 | Download and install the latest RUP. >= 9.5.0.1 |
|
| CVE-2023-25942 |
PowerScale OneFS | 9.2.1.0 through 9.2.1.21 9.4.0.0 through 9.4.0.12 9.5.0.0 |
Download and install the latest RUP. >= 9.2.1.22 >= 9.4.0.13 >= 9.5.0.1 |
|
| 9.1.0.0 through 9.1.0.28 | Upgrade your version of PowerScale OneFS to >= 9.4.0.13. | |||
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2019-15876 |
PowerScale OneFS with Gen6 H5600 node | 9.2.1.0 through 9.2.1.21 9.4.0.0 through 9.4.0.12 9.5.0.0 |
Download and install the latest RUP. >= 9.2.1.22 >= 9.4.0.13 >= 9.5.0.1 |
|
| 9.1.0.0 through 9.1.0.28 | Upgrade your version of PowerScale OneFS to >= 9.4.0.13. | |||
| Any other version | Upgrade your version of PowerScale OneFS. |
| CVEs Addressed | Product | Affected Versions | Updated Versions | Link to Update |
|
CVE-2022-26377
CVE-2022-28330
CVE-2022-28614
CVE-2022-28615
CVE-2022-29404
CVE-2022-30522
CVE-2022-30556
CVE-2022-31813
|
PowerScale OneFS | 9.1.0.0 through 9.1.0.27 9.2.1.0 through 9.2.1.20 9.4.0.0 through 9.4.0.12 |
Download and install the latest RUP. >= 9.1.0.28 >= 9.2.1.21 >= 9.4.0.13 |
PowerScale OneFS Downloads Area |
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2023-25941 |
PowerScale OneFS | 9.2.1.0 through 9.2.1.21 9.4.0.0 through 9.4.0.12 9.5.0.0 through 9.5.0.1 |
Download and install the latest RUP. >= 9.2.1.22 >= 9.4.0.13 >= 9.5.0.2 |
|
| 9.1.0.0 through 9.1.0.28 | Upgrade your version of PowerScale OneFS to >= 9.4.0.13. | |||
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2023-25940 | PowerScale OneFS | 9.5.0.0 | Download and install the latest RUP. >= 9.5.0.1 |
|
| CVE-2023-25942 |
PowerScale OneFS | 9.2.1.0 through 9.2.1.21 9.4.0.0 through 9.4.0.12 9.5.0.0 |
Download and install the latest RUP. >= 9.2.1.22 >= 9.4.0.13 >= 9.5.0.1 |
|
| 9.1.0.0 through 9.1.0.28 | Upgrade your version of PowerScale OneFS to >= 9.4.0.13. | |||
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2019-15876 |
PowerScale OneFS with Gen6 H5600 node | 9.2.1.0 through 9.2.1.21 9.4.0.0 through 9.4.0.12 9.5.0.0 |
Download and install the latest RUP. >= 9.2.1.22 >= 9.4.0.13 >= 9.5.0.1 |
|
| 9.1.0.0 through 9.1.0.28 | Upgrade your version of PowerScale OneFS to >= 9.4.0.13. | |||
| Any other version | Upgrade your version of PowerScale OneFS. |
Revision History
| Revision | Date | Description |
| 1.0 | 2023-03-23 | Initial Release |
| 1.1 | 2023-06-19 | Updated CVE description for CVE-2023-25940 |
| 1.2 | 2023-06-22 | Added notes for Proprietary Code CVEs and updated hyperlink for CVE-2022-28615 |
Related Information
Legal Disclaimer
Affected Products
PowerScale OneFS, Product Security InformationArticle Properties
Article Number: 000211539
Article Type: Dell Security Advisory
Last Modified: 22 Jun 2023
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.