Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000205618


DSA-2022-271: Dell PowerScale OneFS Security Updates for Multiple Security Vulnerabilities

Summary: Dell PowerScale remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Article Content


Impact

High

Details

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2022-23089 Dell PowerScale OneFS versions 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, 9.3.0.x, and 9.4.0.x contain an Out-of-Bounds Read vulnerability. An attacker with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE may potentially exploit this vulnerability leading to a Denial of Service situation. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-23091 Dell PowerScale OneFS, versions 9.1.0.x through 9.4.0.x contains a use after free vulnerability. A low privilege local attacker may potentially exploit this vulnerability, leading to information disclosure, system takeover, or complete outage. 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE-2022-33934 Dell PowerScale OneFS, versions 8.2.x through 9.4.x contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges may potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected fields. 7.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVE-2022-34438 Dell PowerScale OneFS, versions 8.2.x through 9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privilegesmay potentially exploit this vulnerability, leading to full system compromise. This issue impacts compliance mode clusters. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34439 Dell PowerScale OneFS, versions 8.2.0.x through 9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A malicious unauthenticated network user may potentially exploit this vulnerability, leading to denial of service and performance issue on that node. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-34444 Dell PowerScale OneFS, versions 9.2.0.x through 9.4.0.x contain an information vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to cause data leak. 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34445 Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CVE-2022-34454 Dell PowerScale OneFS, versions 8.2.x-9.3.x contain a heap-based buffer overflow. A local privileged malicious user may potentially exploit this vulnerability, leading to system takeover. This issue impacts compliance mode clusters. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Note: CVE-2022-34454 and CVE-2022-34438 scores 6.7 Medium, however in compliance mode cluster it is 6.7 (Business Critical) as it may affect compliance restrictions.
 
Third-party Component CVEs CVSS Vector String
Cyrus SASL CVE-2022-24407 See NVD This hyperlink is taking you to a website outside of Dell Technologies. for individual scores for each CVE.
CVE-2019-19906
CVE-2013-4122
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2022-23089 Dell PowerScale OneFS versions 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, 9.3.0.x, and 9.4.0.x contain an Out-of-Bounds Read vulnerability. An attacker with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE may potentially exploit this vulnerability leading to a Denial of Service situation. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-23091 Dell PowerScale OneFS, versions 9.1.0.x through 9.4.0.x contains a use after free vulnerability. A low privilege local attacker may potentially exploit this vulnerability, leading to information disclosure, system takeover, or complete outage. 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE-2022-33934 Dell PowerScale OneFS, versions 8.2.x through 9.4.x contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges may potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected fields. 7.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVE-2022-34438 Dell PowerScale OneFS, versions 8.2.x through 9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privilegesmay potentially exploit this vulnerability, leading to full system compromise. This issue impacts compliance mode clusters. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34439 Dell PowerScale OneFS, versions 8.2.0.x through 9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A malicious unauthenticated network user may potentially exploit this vulnerability, leading to denial of service and performance issue on that node. 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-34444 Dell PowerScale OneFS, versions 9.2.0.x through 9.4.0.x contain an information vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to cause data leak. 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34445 Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure. 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CVE-2022-34454 Dell PowerScale OneFS, versions 8.2.x-9.3.x contain a heap-based buffer overflow. A local privileged malicious user may potentially exploit this vulnerability, leading to system takeover. This issue impacts compliance mode clusters. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Note: CVE-2022-34454 and CVE-2022-34438 scores 6.7 Medium, however in compliance mode cluster it is 6.7 (Business Critical) as it may affect compliance restrictions.
 
Third-party Component CVEs CVSS Vector String
Cyrus SASL CVE-2022-24407 See NVD This hyperlink is taking you to a website outside of Dell Technologies. for individual scores for each CVE.
CVE-2019-19906
CVE-2013-4122
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed Product Affected Versions Updated Versions Link to Update
CVE-2022-23089 PowerScale OneFS 9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.4.0.0 through 9.4.0.6
Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.4.0.7
PowerScale OneFS Downloads Area
9.3.0.0 through 9.3.0.9 RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to  = 9.4.0.7.
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-23091 PowerScale OneFS 9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.4.0.0 through 9.4.0.6
Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.4.0.7
9.3.0.0 through 9.3.0.9 RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to > = 9.4.0.7.
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-24407
CVE-2019-19906
CVE-2013-4122
PowerScale OneFS 9.3.0.0 through 9.3.0.7 Download and install the latest RUP.
> = 9.3.0.9
Any other Version See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates
CVE-2022-33934 PowerScale OneFS 9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.4
Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.3.0.9
> = 9.4.0.5
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-34438 PowerScale OneFS 9.3.0.0 through 9.3.0.7 Download and install the latest RUP.
> = 9.3.0.9
Any other version See DSA: DSA-2022-245
CVE-2022-34439 PowerScale OneFS 9.3.0.0 through 9.3.0.7 Download and install the latest RUP.
> = 9.3.0.9
Any other version See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates
CVE-2022-34444 PowerScale OneFS 9.2.1.0 through 9.2.1.16
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.5
Download and install the latest RUP.
> = 9.2.1.17
> = 9.3.0.9
> = 9.4.0.6
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-34445 PowerScale OneFS 9.1.0.0 through 9.1.0.20
9.2.1.0 through 9.2.1.13
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.4
Download and install the latest RUP.
> = 9.1.0.21
> = 9.2.1.14
> = 9.3.0.9
> = 9.4.0.5
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-34454 PowerScale OneFS 9.1.0.0 through 9.1.0.20
9.2.1.0 through 9.2.1.13
9.3.0.0 through 9.3.0.7
Download and install the latest RUP.
> = 9.1.0.21
> = 9.2.1.14
> = 9.3.0.9
Any other version Upgrade your version of PowerScale OneFS.
CVEs Addressed Product Affected Versions Updated Versions Link to Update
CVE-2022-23089 PowerScale OneFS 9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.4.0.0 through 9.4.0.6
Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.4.0.7
PowerScale OneFS Downloads Area
9.3.0.0 through 9.3.0.9 RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to  = 9.4.0.7.
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-23091 PowerScale OneFS 9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.4.0.0 through 9.4.0.6
Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.4.0.7
9.3.0.0 through 9.3.0.9 RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to > = 9.4.0.7.
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-24407
CVE-2019-19906
CVE-2013-4122
PowerScale OneFS 9.3.0.0 through 9.3.0.7 Download and install the latest RUP.
> = 9.3.0.9
Any other Version See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates
CVE-2022-33934 PowerScale OneFS 9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.4
Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.3.0.9
> = 9.4.0.5
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-34438 PowerScale OneFS 9.3.0.0 through 9.3.0.7 Download and install the latest RUP.
> = 9.3.0.9
Any other version See DSA: DSA-2022-245
CVE-2022-34439 PowerScale OneFS 9.3.0.0 through 9.3.0.7 Download and install the latest RUP.
> = 9.3.0.9
Any other version See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates
CVE-2022-34444 PowerScale OneFS 9.2.1.0 through 9.2.1.16
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.5
Download and install the latest RUP.
> = 9.2.1.17
> = 9.3.0.9
> = 9.4.0.6
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-34445 PowerScale OneFS 9.1.0.0 through 9.1.0.20
9.2.1.0 through 9.2.1.13
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.4
Download and install the latest RUP.
> = 9.1.0.21
> = 9.2.1.14
> = 9.3.0.9
> = 9.4.0.5
Any other version Upgrade your version of PowerScale OneFS.
CVE-2022-34454 PowerScale OneFS 9.1.0.0 through 9.1.0.20
9.2.1.0 through 9.2.1.13
9.3.0.0 through 9.3.0.7
Download and install the latest RUP.
> = 9.1.0.21
> = 9.2.1.14
> = 9.3.0.9
Any other version Upgrade your version of PowerScale OneFS.

Revision History

RevisionDateDescription
1.02022-11-21Initial Release

Related Information


Article Properties


Affected Product

PowerScale OneFS, Product Security Information

Last Published Date

13 Feb 2023

Version

2

Article Type

Dell Security Advisory