Headline
CVE-2022-34454: DSA-2022-271: Dell PowerScale OneFS Security Updates for Multiple Security Vulnerabilities
Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a heap-based buffer overflow. A local privileged malicious user could potentially exploit this vulnerability, leading to system takeover. This impacts compliance mode clusters.
Vaikutus
High
Tiedot
Proprietary Code CVEs
Description
CVSS Base Score
CVSS Vector String
CVE-2022-23089
Dell PowerScale OneFS versions 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, 9.3.0.x, and 9.4.0.x contain an Out-of-Bounds Read vulnerability. An attacker with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE may potentially exploit this vulnerability leading to a Denial of Service situation.
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-23091
Dell PowerScale OneFS, versions 9.1.0.x through 9.4.0.x contains a use after free vulnerability. A low privilege local attacker may potentially exploit this vulnerability, leading to information disclosure, system takeover, or complete outage.
6.7
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE-2022-33934
Dell PowerScale OneFS, versions 8.2.x through 9.4.x contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges may potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected fields.
7.7
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVE-2022-34438
Dell PowerScale OneFS, versions 8.2.x through 9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privilegesmay potentially exploit this vulnerability, leading to full system compromise. This issue impacts compliance mode clusters.
6.7
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34439
Dell PowerScale OneFS, versions 8.2.0.x through 9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A malicious unauthenticated network user may potentially exploit this vulnerability, leading to denial of service and performance issue on that node.
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-34444
Dell PowerScale OneFS, versions 9.2.0.x through 9.4.0.x contain an information vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to cause data leak.
5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34445
Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure.
6.0
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CVE-2022-34454
Dell PowerScale OneFS, versions 8.2.x-9.3.x contain a heap-based buffer overflow. A local privileged malicious user may potentially exploit this vulnerability, leading to system takeover. This issue impacts compliance mode clusters.
6.7
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Note: CVE-2022-34454 and CVE-2022-34438 scores 6.7 Medium, however in compliance mode cluster it is 6.7 (Business Critical) as it may affect compliance restrictions.
Third-party Component
CVEs
CVSS Vector String
Cyrus SASL
CVE-2022-24407
See NVD for individual scores for each CVE.
CVE-2019-19906
CVE-2013-4122
Proprietary Code CVEs
Description
CVSS Base Score
CVSS Vector String
CVE-2022-23089
Dell PowerScale OneFS versions 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, 9.3.0.x, and 9.4.0.x contain an Out-of-Bounds Read vulnerability. An attacker with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE may potentially exploit this vulnerability leading to a Denial of Service situation.
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-23091
Dell PowerScale OneFS, versions 9.1.0.x through 9.4.0.x contains a use after free vulnerability. A low privilege local attacker may potentially exploit this vulnerability, leading to information disclosure, system takeover, or complete outage.
6.7
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE-2022-33934
Dell PowerScale OneFS, versions 8.2.x through 9.4.x contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges may potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected fields.
7.7
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVE-2022-34438
Dell PowerScale OneFS, versions 8.2.x through 9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privilegesmay potentially exploit this vulnerability, leading to full system compromise. This issue impacts compliance mode clusters.
6.7
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34439
Dell PowerScale OneFS, versions 8.2.0.x through 9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A malicious unauthenticated network user may potentially exploit this vulnerability, leading to denial of service and performance issue on that node.
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-34444
Dell PowerScale OneFS, versions 9.2.0.x through 9.4.0.x contain an information vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to cause data leak.
5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34445
Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure.
6.0
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CVE-2022-34454
Dell PowerScale OneFS, versions 8.2.x-9.3.x contain a heap-based buffer overflow. A local privileged malicious user may potentially exploit this vulnerability, leading to system takeover. This issue impacts compliance mode clusters.
6.7
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Note: CVE-2022-34454 and CVE-2022-34438 scores 6.7 Medium, however in compliance mode cluster it is 6.7 (Business Critical) as it may affect compliance restrictions.
Third-party Component
CVEs
CVSS Vector String
Cyrus SASL
CVE-2022-24407
See NVD for individual scores for each CVE.
CVE-2019-19906
CVE-2013-4122
Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.
Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen
CVEs Addressed
Product
Affected Versions
Updated Versions
Link to Update
CVE-2022-23089
PowerScale OneFS
9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.4.0.0 through 9.4.0.6
Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.4.0.7
PowerScale OneFS Downloads Area
9.3.0.0 through 9.3.0.9
RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to = 9.4.0.7.
Any other version
Upgrade your version of PowerScale OneFS.
CVE-2022-23091
PowerScale OneFS
9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.4.0.0 through 9.4.0.6
Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.4.0.7
9.3.0.0 through 9.3.0.9
RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to > = 9.4.0.7.
Any other version
Upgrade your version of PowerScale OneFS.
CVE-2022-24407
CVE-2019-19906
CVE-2013-4122
PowerScale OneFS
9.3.0.0 through 9.3.0.7
Download and install the latest RUP.
> = 9.3.0.9
Any other Version
See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates
CVE-2022-33934
PowerScale OneFS
9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.4
Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.3.0.9
> = 9.4.0.5
Any other version
Upgrade your version of PowerScale OneFS.
CVE-2022-34438
PowerScale OneFS
9.3.0.0 through 9.3.0.7
Download and install the latest RUP.
> = 9.3.0.9
Any other version
See DSA: DSA-2022-245
CVE-2022-34439
PowerScale OneFS
9.3.0.0 through 9.3.0.7
Download and install the latest RUP.
> = 9.3.0.9
Any other version
See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates
CVE-2022-34444
PowerScale OneFS
9.2.1.0 through 9.2.1.16
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.5
Download and install the latest RUP.
> = 9.2.1.17
> = 9.3.0.9
> = 9.4.0.6
Any other version
Upgrade your version of PowerScale OneFS.
CVE-2022-34445
PowerScale OneFS
9.1.0.0 through 9.1.0.20
9.2.1.0 through 9.2.1.13
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.4
Download and install the latest RUP.
> = 9.1.0.21
> = 9.2.1.14
> = 9.3.0.9
> = 9.4.0.5
Any other version
Upgrade your version of PowerScale OneFS.
CVE-2022-34454
PowerScale OneFS
9.1.0.0 through 9.1.0.20
9.2.1.0 through 9.2.1.13
9.3.0.0 through 9.3.0.7
Download and install the latest RUP.
> = 9.1.0.21
> = 9.2.1.14
> = 9.3.0.9
Any other version
Upgrade your version of PowerScale OneFS.
CVEs Addressed
Product
Affected Versions
Updated Versions
Link to Update
CVE-2022-23089
PowerScale OneFS
9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.4.0.0 through 9.4.0.6
Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.4.0.7
PowerScale OneFS Downloads Area
9.3.0.0 through 9.3.0.9
RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to = 9.4.0.7.
Any other version
Upgrade your version of PowerScale OneFS.
CVE-2022-23091
PowerScale OneFS
9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.4.0.0 through 9.4.0.6
Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.4.0.7
9.3.0.0 through 9.3.0.9
RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to > = 9.4.0.7.
Any other version
Upgrade your version of PowerScale OneFS.
CVE-2022-24407
CVE-2019-19906
CVE-2013-4122
PowerScale OneFS
9.3.0.0 through 9.3.0.7
Download and install the latest RUP.
> = 9.3.0.9
Any other Version
See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates
CVE-2022-33934
PowerScale OneFS
9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.4
Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.3.0.9
> = 9.4.0.5
Any other version
Upgrade your version of PowerScale OneFS.
CVE-2022-34438
PowerScale OneFS
9.3.0.0 through 9.3.0.7
Download and install the latest RUP.
> = 9.3.0.9
Any other version
See DSA: DSA-2022-245
CVE-2022-34439
PowerScale OneFS
9.3.0.0 through 9.3.0.7
Download and install the latest RUP.
> = 9.3.0.9
Any other version
See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates
CVE-2022-34444
PowerScale OneFS
9.2.1.0 through 9.2.1.16
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.5
Download and install the latest RUP.
> = 9.2.1.17
> = 9.3.0.9
> = 9.4.0.6
Any other version
Upgrade your version of PowerScale OneFS.
CVE-2022-34445
PowerScale OneFS
9.1.0.0 through 9.1.0.20
9.2.1.0 through 9.2.1.13
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.4
Download and install the latest RUP.
> = 9.1.0.21
> = 9.2.1.14
> = 9.3.0.9
> = 9.4.0.5
Any other version
Upgrade your version of PowerScale OneFS.
CVE-2022-34454
PowerScale OneFS
9.1.0.0 through 9.1.0.20
9.2.1.0 through 9.2.1.13
9.3.0.0 through 9.3.0.7
Download and install the latest RUP.
> = 9.1.0.21
> = 9.2.1.14
> = 9.3.0.9
Any other version
Upgrade your version of PowerScale OneFS.
Versiohistoria
Revision
Date
Description
1.0
202211-21
Initial Release
Asiaan liittyvät tiedot
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
21 marrask. 2022
Related news
Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Red Hat Security Advisory 2023-4053-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.45. Issues addressed include a code execution vulnerability.
An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service and performance issue on that node.
Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service and performance issue on that node.
Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service and performance issue on that node.
Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service and performance issue on that node.
Red Hat Security Advisory 2022-6526-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.11.0 images: RHEL-8-CNV-4.11. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.
Red Hat Security Advisory 2022-6429-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include bypass, code execution, and denial of service vulnerabilities.
Red Hat Security Advisory 2022-5069-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.0. Issues addressed include code execution, cross site scripting, denial of service, information leakage, and traversal vulnerabilities.
Red Hat Security Advisory 2022-5070-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.0. Issues addressed include denial of service, out of bounds read, and traversal vulnerabilities.
Red Hat OpenShift Container Platform release 4.11.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23566: nanoid: Information disclosure via valueOf() function * CVE-2021-23648: sanitize-url: XSS * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2021-44906:...
Red Hat Security Advisory 2022-5924-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring.
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug and security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1902: stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext
Red Hat Security Advisory 2022-4668-01 - Red Hat OpenShift Virtualization release 4.10.1 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Virtualization release 4.10.1 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-36221: golang: net/http/httputil: panic due to racy read of persistConn after handler panic * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.
An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory.