Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

DSA-2022-014: Dell EMC PowerStore Family Security Update for Multiple Vulnerabilities

Summary: Dell EMC PowerStore Family remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.

Impact

Critical

Details

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2022-22556 Dell PowerStore contains an Uncontrolled Resource Consumption Vulnerability in PowerStore User Interface. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to the Denial of Service. 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-22557 Dell PowerStore contains Plain-Text Password Storage Vulnerability in version 2.0.0.x. and 2.0.1.x. A locally authenticated attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2022-26866 Dell PowerStore contains a Stored Cross-Site Scripting Vulnerability, an authenticated attacker may potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 5.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
CVE-2022-26867 Dell PowerStore contains formula injection vulnerability in which it supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It may allow a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file. 5.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
CVE-2022-26868 Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x are vulnerable to a command injection flaw. An authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2022-26869 Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contain an open port vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to information disclosure, arbitrary code execution. 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-26870 Dell PowerStore versions 2.1.0.x contain an Authentication bypass vulnerability. A remote unauthenticated attacker may  potentially exploit this vulnerability when both Remote Secure Credential and External SSH are enabled. An attacker would gain “service” account access upon successful exploit. 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
 
Third-Party Component CVEs More Information
NVMe SSD CVE-2021-0148 Intel-SA-00535
Axios CVE-2020-28168 See NVD (http://nvd.nist.gov/) for individual scores of each CVE.
bind-libs
bind-libs-lite
bind-utils
bind-license
CVE-2021-25215
glib2 CVE-2021-27219
gupnp CVE-2021-33516
java-1.8.0-openjdk CVE-2021-2369
CVE-2021-2388
CVE-2021-2341
libldb CVE-2021-20277
libwbclient CVE-2021-20254
Lo-dash CVE-2021-23337
CVE-2020-28500
CVE-2020-8203
Log4j CVE-2021-45105
CVE-2021-44832
CVE-2022-23307
nettle CVE-2021-20305
nss
nss-sysinit
nss-tools
CVE-2020-25648
openldap CVE-2020-25692
pillow CVE-2021-28675
CVE-2021-28676
CVE-2021-25288
CVE-2021-25287
CVE-2021-28677
CVE-2021-28678
postgres CVE-2021-20229
CVE-2021-32027
CVE-2021-3393
postgres-libs CVE-2021-32027
postgresql-libs CVE-2019-10208
CVE-2020-25694
CVE-2020-25695
samba-common
samba-client-libs
samba-common-libs libwbclient
CVE-2021-20254
screen version CVE-2021-26937
urllib3 CVE-2021-33503
xterm CVE-2021-27135
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2022-22556 Dell PowerStore contains an Uncontrolled Resource Consumption Vulnerability in PowerStore User Interface. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to the Denial of Service. 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-22557 Dell PowerStore contains Plain-Text Password Storage Vulnerability in version 2.0.0.x. and 2.0.1.x. A locally authenticated attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2022-26866 Dell PowerStore contains a Stored Cross-Site Scripting Vulnerability, an authenticated attacker may potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 5.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
CVE-2022-26867 Dell PowerStore contains formula injection vulnerability in which it supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It may allow a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file. 5.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
CVE-2022-26868 Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x are vulnerable to a command injection flaw. An authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2022-26869 Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contain an open port vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to information disclosure, arbitrary code execution. 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-26870 Dell PowerStore versions 2.1.0.x contain an Authentication bypass vulnerability. A remote unauthenticated attacker may  potentially exploit this vulnerability when both Remote Secure Credential and External SSH are enabled. An attacker would gain “service” account access upon successful exploit. 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
 
Third-Party Component CVEs More Information
NVMe SSD CVE-2021-0148 Intel-SA-00535
Axios CVE-2020-28168 See NVD (http://nvd.nist.gov/) for individual scores of each CVE.
bind-libs
bind-libs-lite
bind-utils
bind-license
CVE-2021-25215
glib2 CVE-2021-27219
gupnp CVE-2021-33516
java-1.8.0-openjdk CVE-2021-2369
CVE-2021-2388
CVE-2021-2341
libldb CVE-2021-20277
libwbclient CVE-2021-20254
Lo-dash CVE-2021-23337
CVE-2020-28500
CVE-2020-8203
Log4j CVE-2021-45105
CVE-2021-44832
CVE-2022-23307
nettle CVE-2021-20305
nss
nss-sysinit
nss-tools
CVE-2020-25648
openldap CVE-2020-25692
pillow CVE-2021-28675
CVE-2021-28676
CVE-2021-25288
CVE-2021-25287
CVE-2021-28677
CVE-2021-28678
postgres CVE-2021-20229
CVE-2021-32027
CVE-2021-3393
postgres-libs CVE-2021-32027
postgresql-libs CVE-2019-10208
CVE-2020-25694
CVE-2020-25695
samba-common
samba-client-libs
samba-common-libs libwbclient
CVE-2021-20254
screen version CVE-2021-26937
urllib3 CVE-2021-33503
xterm CVE-2021-27135
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

CVEs Addressed Products Affected Versions Updated Versions Link to Update
CVE-2022-22557 PowerStore T OS
PowerStore X OS
PowerStore T OS versions 2.0.0.x and 2.0.1.x
*PowerStore T OS versions 1.0.x.x are not affected.

PowerStore X OS versions 2.0.0.x and 2.0.1.x
*PowerStore X OS versions 1.0.x.x are not affected.
PowerStore T OS Upgrade 2.1.0.0-1561821


PowerStore T OS Upgrade 2.1.0.1-1602345


PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS Upgrade 2.1.1.0-1649887
https://www.dell.com/support/home/?app=drivers

 
CVE-2022-22556 PowerStore T OS
PowerStore X OS
PowerStore T OS versions before PowerStore T OS Upgrade 2.1.0.0-1561821

PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887
PowerStore T OS Upgrade 2.1.0.0-1561821


PowerStore T OS Upgrade 2.1.0.1-1602345


PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS”
PowerStore X OS Upgrade 2.1.1.0-1649887
CVE-2021-0148
CVE-2020-28168
CVE-2021-25215
CVE-2021-27219
CVE-2021-33516
CVE-2021-2369
CVE-2021-2388
CVE-2021-2341
CVE-2021-20277
CVE-2021-20254
CVE-2021-23337
CVE-2020-28500
CVE-2020-8203
CVE-2020-25692
CVE-2021-28675
CVE-2021-28676
CVE-2021-25288
CVE-2021-25287
CVE-2021-28677
CVE-2021-28678
CVE-2021-20229
CVE-2021-32027
CVE-2021-3393
CVE-2019-10208
CVE-2020-25694
CVE-2020-25695
CVE-2021-20254
CVE-2021-26937
CVE-2021-33503
CVE-2021-27135
CVE-2022-26866 PowerStore T OS
PowerStore X OS
PowerStore T OS versions before PowerStore T OS Upgrade 2.1.1.0-1649887


PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887
PowerStore T OS Upgrade 2.1.1.0-1649887


PowerStore X OS Upgrade 2.1.1.0-1649887
CVE-2022-26867
CVE-2021-45105
CVE-2021-44832
CVE-2022-23307
CVE-2022-26868 PowerStore T OS
PowerStore X OS
PowerStore T OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x
*PowerStore T OS versions 1.0.x.x are not affected.

PowerStore X OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x
*PowerStore X OS versions 1.0.x.x are not affected.
PowerStore T OS Upgrade 2.1.1.0-1649887


PowerStore X OS Upgrade 2.1.1.0-1649887
CVE-2022-26869
CVE-2022-26870 PowerStore T OS PowerStore T OS versions 2.1.0.x
*PowerStore T OS 1.0.x.x, 2.0.0.x, 2.0.1.x are not affected
PowerStore T OS Upgrade 2.1.1.0-1649887
 
CVEs Addressed Products Affected Versions Updated Versions Link to Update
CVE-2022-22557 PowerStore T OS
PowerStore X OS
PowerStore T OS versions 2.0.0.x and 2.0.1.x
*PowerStore T OS versions 1.0.x.x are not affected.

PowerStore X OS versions 2.0.0.x and 2.0.1.x
*PowerStore X OS versions 1.0.x.x are not affected.
PowerStore T OS Upgrade 2.1.0.0-1561821


PowerStore T OS Upgrade 2.1.0.1-1602345


PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS Upgrade 2.1.1.0-1649887
https://www.dell.com/support/home/?app=drivers

 
CVE-2022-22556 PowerStore T OS
PowerStore X OS
PowerStore T OS versions before PowerStore T OS Upgrade 2.1.0.0-1561821

PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887
PowerStore T OS Upgrade 2.1.0.0-1561821


PowerStore T OS Upgrade 2.1.0.1-1602345


PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS”
PowerStore X OS Upgrade 2.1.1.0-1649887
CVE-2021-0148
CVE-2020-28168
CVE-2021-25215
CVE-2021-27219
CVE-2021-33516
CVE-2021-2369
CVE-2021-2388
CVE-2021-2341
CVE-2021-20277
CVE-2021-20254
CVE-2021-23337
CVE-2020-28500
CVE-2020-8203
CVE-2020-25692
CVE-2021-28675
CVE-2021-28676
CVE-2021-25288
CVE-2021-25287
CVE-2021-28677
CVE-2021-28678
CVE-2021-20229
CVE-2021-32027
CVE-2021-3393
CVE-2019-10208
CVE-2020-25694
CVE-2020-25695
CVE-2021-20254
CVE-2021-26937
CVE-2021-33503
CVE-2021-27135
CVE-2022-26866 PowerStore T OS
PowerStore X OS
PowerStore T OS versions before PowerStore T OS Upgrade 2.1.1.0-1649887


PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887
PowerStore T OS Upgrade 2.1.1.0-1649887


PowerStore X OS Upgrade 2.1.1.0-1649887
CVE-2022-26867
CVE-2021-45105
CVE-2021-44832
CVE-2022-23307
CVE-2022-26868 PowerStore T OS
PowerStore X OS
PowerStore T OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x
*PowerStore T OS versions 1.0.x.x are not affected.

PowerStore X OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x
*PowerStore X OS versions 1.0.x.x are not affected.
PowerStore T OS Upgrade 2.1.1.0-1649887


PowerStore X OS Upgrade 2.1.1.0-1649887
CVE-2022-26869
CVE-2022-26870 PowerStore T OS PowerStore T OS versions 2.1.0.x
*PowerStore T OS 1.0.x.x, 2.0.0.x, 2.0.1.x are not affected
PowerStore T OS Upgrade 2.1.1.0-1649887
 

Revision History

RevisionDateMore Information
1.02022-04-19Initial Release
2.02022-04-21Minor updates to include Log4j CVEs and Link to Update. See Dell KB article194739: https://www.dell.com/support/kbdoc/000196367
2.12023-01-17Minor update to CVEs Addressed in the Affected Products and Remediation section: removed duplicate CVE ID: CVE-2022-26867 and added CVE ID: CVE-2022-26866.

Related Information

Affected Products

PowerStore, PowerStore 1000X, PowerStore 1000T, PowerStore 3000X, PowerStore 3000T, PowerStore 5000X, PowerStore 5000T, PowerStore 500T, PowerStore 7000X, PowerStore 7000T, PowerStore 9000X, PowerStore 9000T, Product Security Information
Article Properties
Article Number: 000196367
Article Type: Dell Security Advisory
Last Modified: 17 Jan 2023
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.