Article Number: 000195815

DSA-2022-002: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities

Summary: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that may be exploited by malicious users to compromise the affected system.

Article Content

Impact

High

Details

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2022-22561	Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to compromised accounts.	8.1	CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CVE-2022-22549	Dell PowerScale OneFS, 8.2.x-9.3.x, contain an Improper Certificate Validation. A unauthenticated remote attacker may potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials.	7.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-22559	Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker may exploit this vulnerability, leading to the potential for information disclosure.	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-22562	Dell PowerScale OneFS, versions 8.2.0-9.2.1.x, contain an improper handling of missing values vulnerability. An unauthenticated network attacker may potentially exploit this denial-of-service vulnerability.	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-22560	Dell EMC PowerScale OneFS versions 8.1.x-9.2.1.x contain hard coded credentials. This may allow a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker may exploit this vulnerability to take the switch offline.	7.1	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CVE-2022-22550	Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain a password disclosure vulnerability. An unprivileged local attacker may potentially exploit this vulnerability, leading to account takeover.	6.7	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22565	Dell PowerScale OneFS, versions 9.0.0-9.3.0 contain an improper authorization of index containing sensitive information. An authenticated and privileged user may potentially exploit this vulnerability, leading to disclosure or modification of sensitive data.	4.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Third-party Component	CVEs	More information
GNU gettext	CVE-2018-18751	https://nvd.nist.gov/vuln/detail/CVE-2018-18751 https://www.gnu.org/software/gettext/
OpenSSL	CVE-2021-3712	https://nvd.nist.gov/vuln/detail/CVE-2021-3712 https://www.openssl.org/news/secadv/20210824.txt
Apache	Multiple	https://httpd.apache.org/security/vulnerabilities_24.html

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2022-22561	Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to compromised accounts.	8.1	CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CVE-2022-22549	Dell PowerScale OneFS, 8.2.x-9.3.x, contain an Improper Certificate Validation. A unauthenticated remote attacker may potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials.	7.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-22559	Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker may exploit this vulnerability, leading to the potential for information disclosure.	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-22562	Dell PowerScale OneFS, versions 8.2.0-9.2.1.x, contain an improper handling of missing values vulnerability. An unauthenticated network attacker may potentially exploit this denial-of-service vulnerability.	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-22560	Dell EMC PowerScale OneFS versions 8.1.x-9.2.1.x contain hard coded credentials. This may allow a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker may exploit this vulnerability to take the switch offline.	7.1	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CVE-2022-22550	Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain a password disclosure vulnerability. An unprivileged local attacker may potentially exploit this vulnerability, leading to account takeover.	6.7	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22565	Dell PowerScale OneFS, versions 9.0.0-9.3.0 contain an improper authorization of index containing sensitive information. An authenticated and privileged user may potentially exploit this vulnerability, leading to disclosure or modification of sensitive data.	4.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Third-party Component	CVEs	More information
GNU gettext	CVE-2018-18751	https://nvd.nist.gov/vuln/detail/CVE-2018-18751 https://www.gnu.org/software/gettext/
OpenSSL	CVE-2021-3712	https://nvd.nist.gov/vuln/detail/CVE-2021-3712 https://www.openssl.org/news/secadv/20210824.txt
Apache	Multiple	https://httpd.apache.org/security/vulnerabilities_24.html

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed	Affected Versions	Updated Versions	Link to Update
CVE-2022-22561	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS	PowerScale OneFS Downloads Area
CVE-2022-22561	9.1.0.x, 9.2.1.x, and 9.3.0.x	Download and install the latest RUP
CVE-2022-22549	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS
CVE-2022-22549	9.1.0.x, 9.2.1.x, and 9.3.0.x	Download and install the latest RUP
CVE-2022-22559	n/a	Upgrade your version of OneFS
CVE-2022-22559	9.3.0.x	Download and install the latest RUP
CVE-2022-22562	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS
CVE-2022-22562	9.1.0.x and 9.2.1.x	Download and install the latest RUP
CVE-2022-22560	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS
CVE-2022-22560	9.1.0.x and 9.2.1.x	Download and install the latest RUP
CVE-2022-22550	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS
CVE-2022-22550	9.1.0.x, 9.2.1.x, and 9.3.0.x	Download and install the latest RUP
CVE-2018-18751	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS
CVE-2018-18751	9.1.0.x, 9.2.1.x, and 9.3.0.x	Download and install the latest RUP
CVE-2021-3712	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS
CVE-2021-3712	9.1.0.x, 9.2.1.x, and 9.3.0.x	Download and install the latest RUP
Apache: Multiple	8.2.x, 9.0.0.x, 9.1.1.x, 9.2.0.x	Upgrade your version of OneFS
Apache: Multiple	9.1.0.x, 9.2.1.x, 9.3.0.x	Download and install the latest RUP
CVE-2022-22565	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS
CVE-2022-22565	9.1.0.x, 9.2.1.x, and 9.3.0.x	Download and install the latest RUP

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.

CVEs Addressed	Affected Versions	Updated Versions	Link to Update
CVE-2022-22561	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS	PowerScale OneFS Downloads Area
CVE-2022-22561	9.1.0.x, 9.2.1.x, and 9.3.0.x	Download and install the latest RUP
CVE-2022-22549	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS
CVE-2022-22549	9.1.0.x, 9.2.1.x, and 9.3.0.x	Download and install the latest RUP
CVE-2022-22559	n/a	Upgrade your version of OneFS
CVE-2022-22559	9.3.0.x	Download and install the latest RUP
CVE-2022-22562	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS
CVE-2022-22562	9.1.0.x and 9.2.1.x	Download and install the latest RUP
CVE-2022-22560	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS
CVE-2022-22560	9.1.0.x and 9.2.1.x	Download and install the latest RUP
CVE-2022-22550	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS
CVE-2022-22550	9.1.0.x, 9.2.1.x, and 9.3.0.x	Download and install the latest RUP
CVE-2018-18751	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS
CVE-2018-18751	9.1.0.x, 9.2.1.x, and 9.3.0.x	Download and install the latest RUP
CVE-2021-3712	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS
CVE-2021-3712	9.1.0.x, 9.2.1.x, and 9.3.0.x	Download and install the latest RUP
Apache: Multiple	8.2.x, 9.0.0.x, 9.1.1.x, 9.2.0.x	Upgrade your version of OneFS
Apache: Multiple	9.1.0.x, 9.2.1.x, 9.3.0.x	Download and install the latest RUP
CVE-2022-22565	8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x	Upgrade your version of OneFS
CVE-2022-22565	9.1.0.x, 9.2.1.x, and 9.3.0.x	Download and install the latest RUP

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.

Revision History

Revision	Date	Description
1.0	2022-01-31	Initial Release

DSA-2022-002: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities

Summary: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that may be exploited by malicious users to compromise the affected system.

Article Content

Impact

Details

Affected Products and Remediation

Revision History

Related Information

Legal Information

Article Properties

Affected Product

Last Published Date

Article Type

Welcome

Welcome to Dell

DSA-2022-002: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities

Summary: Dell EMC PowerScale OneFS remediation is available for multiple vulnerabilities that may be exploited by malicious users to compromise the affected system.

Article Content

Impact

Details

Affected Products and Remediation

Revision History

Related Information

Legal Information

Article Properties

Affected Product

Last Published Date

Article Type