Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-34454: DSA-2022-271: Dell PowerScale OneFS Security Updates for Multiple Security Vulnerabilities

Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a heap-based buffer overflow. A local privileged malicious user could potentially exploit this vulnerability, leading to system takeover. This impacts compliance mode clusters.

CVE
#xss#vulnerability#dos#java#buffer_overflow#auth#ssh#dell

Vaikutus

High

Tiedot

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2022-23089

Dell PowerScale OneFS versions 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, 9.3.0.x, and 9.4.0.x contain an Out-of-Bounds Read vulnerability. An attacker with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE may potentially exploit this vulnerability leading to a Denial of Service situation.

5.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE-2022-23091

Dell PowerScale OneFS, versions 9.1.0.x through 9.4.0.x contains a use after free vulnerability. A low privilege local attacker may potentially exploit this vulnerability, leading to information disclosure, system takeover, or complete outage.

6.7

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE-2022-33934

Dell PowerScale OneFS, versions 8.2.x through 9.4.x contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges may potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected fields.

7.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVE-2022-34438

Dell PowerScale OneFS, versions 8.2.x through 9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privilegesmay potentially exploit this vulnerability, leading to full system compromise. This issue impacts compliance mode clusters.

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-34439

Dell PowerScale OneFS, versions 8.2.0.x through 9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A malicious unauthenticated network user may potentially exploit this vulnerability, leading to denial of service and performance issue on that node.

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2022-34444

Dell PowerScale OneFS, versions 9.2.0.x through 9.4.0.x contain an information vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to cause data leak.

5.9

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-34445

Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure.

6.0

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CVE-2022-34454

Dell PowerScale OneFS, versions 8.2.x-9.3.x contain a heap-based buffer overflow. A local privileged malicious user may potentially exploit this vulnerability, leading to system takeover. This issue impacts compliance mode clusters.

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Note: CVE-2022-34454 and CVE-2022-34438 scores 6.7 Medium, however in compliance mode cluster it is 6.7 (Business Critical) as it may affect compliance restrictions.

Third-party Component

CVEs

CVSS Vector String

Cyrus SASL

CVE-2022-24407

See NVD for individual scores for each CVE.

CVE-2019-19906

CVE-2013-4122

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2022-23089

Dell PowerScale OneFS versions 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, 9.3.0.x, and 9.4.0.x contain an Out-of-Bounds Read vulnerability. An attacker with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE may potentially exploit this vulnerability leading to a Denial of Service situation.

5.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE-2022-23091

Dell PowerScale OneFS, versions 9.1.0.x through 9.4.0.x contains a use after free vulnerability. A low privilege local attacker may potentially exploit this vulnerability, leading to information disclosure, system takeover, or complete outage.

6.7

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE-2022-33934

Dell PowerScale OneFS, versions 8.2.x through 9.4.x contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges may potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected fields.

7.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVE-2022-34438

Dell PowerScale OneFS, versions 8.2.x through 9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privilegesmay potentially exploit this vulnerability, leading to full system compromise. This issue impacts compliance mode clusters.

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-34439

Dell PowerScale OneFS, versions 8.2.0.x through 9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A malicious unauthenticated network user may potentially exploit this vulnerability, leading to denial of service and performance issue on that node.

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2022-34444

Dell PowerScale OneFS, versions 9.2.0.x through 9.4.0.x contain an information vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to cause data leak.

5.9

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-34445

Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure.

6.0

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CVE-2022-34454

Dell PowerScale OneFS, versions 8.2.x-9.3.x contain a heap-based buffer overflow. A local privileged malicious user may potentially exploit this vulnerability, leading to system takeover. This issue impacts compliance mode clusters.

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Note: CVE-2022-34454 and CVE-2022-34438 scores 6.7 Medium, however in compliance mode cluster it is 6.7 (Business Critical) as it may affect compliance restrictions.

Third-party Component

CVEs

CVSS Vector String

Cyrus SASL

CVE-2022-24407

See NVD for individual scores for each CVE.

CVE-2019-19906

CVE-2013-4122

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen

CVEs Addressed

Product

Affected Versions

Updated Versions

Link to Update

CVE-2022-23089

PowerScale OneFS

9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.4.0.0 through 9.4.0.6

Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.4.0.7

PowerScale OneFS Downloads Area

9.3.0.0 through 9.3.0.9

RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to = 9.4.0.7.

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-23091

PowerScale OneFS

9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.4.0.0 through 9.4.0.6

Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.4.0.7

9.3.0.0 through 9.3.0.9

RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to > = 9.4.0.7.

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-24407
CVE-2019-19906
CVE-2013-4122

PowerScale OneFS

9.3.0.0 through 9.3.0.7

Download and install the latest RUP.
> = 9.3.0.9

Any other Version

See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates

CVE-2022-33934

PowerScale OneFS

9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.4

Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.3.0.9
> = 9.4.0.5

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-34438

PowerScale OneFS

9.3.0.0 through 9.3.0.7

Download and install the latest RUP.
> = 9.3.0.9

Any other version

See DSA: DSA-2022-245

CVE-2022-34439

PowerScale OneFS

9.3.0.0 through 9.3.0.7

Download and install the latest RUP.
> = 9.3.0.9

Any other version

See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates

CVE-2022-34444

PowerScale OneFS

9.2.1.0 through 9.2.1.16
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.5

Download and install the latest RUP.
> = 9.2.1.17
> = 9.3.0.9
> = 9.4.0.6

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-34445

PowerScale OneFS

9.1.0.0 through 9.1.0.20
9.2.1.0 through 9.2.1.13
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.4

Download and install the latest RUP.
> = 9.1.0.21
> = 9.2.1.14
> = 9.3.0.9
> = 9.4.0.5

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-34454

PowerScale OneFS

9.1.0.0 through 9.1.0.20
9.2.1.0 through 9.2.1.13
9.3.0.0 through 9.3.0.7

Download and install the latest RUP.
> = 9.1.0.21
> = 9.2.1.14
> = 9.3.0.9

Any other version

Upgrade your version of PowerScale OneFS.

CVEs Addressed

Product

Affected Versions

Updated Versions

Link to Update

CVE-2022-23089

PowerScale OneFS

9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.4.0.0 through 9.4.0.6

Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.4.0.7

PowerScale OneFS Downloads Area

9.3.0.0 through 9.3.0.9

RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to = 9.4.0.7.

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-23091

PowerScale OneFS

9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.4.0.0 through 9.4.0.6

Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.4.0.7

9.3.0.0 through 9.3.0.9

RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to > = 9.4.0.7.

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-24407
CVE-2019-19906
CVE-2013-4122

PowerScale OneFS

9.3.0.0 through 9.3.0.7

Download and install the latest RUP.
> = 9.3.0.9

Any other Version

See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates

CVE-2022-33934

PowerScale OneFS

9.1.0.0 through 9.1.0.23
9.2.1.0 through 9.2.1.16
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.4

Download and install the latest RUP.
> = 9.1.0.24
> = 9.2.1.17
> = 9.3.0.9
> = 9.4.0.5

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-34438

PowerScale OneFS

9.3.0.0 through 9.3.0.7

Download and install the latest RUP.
> = 9.3.0.9

Any other version

See DSA: DSA-2022-245

CVE-2022-34439

PowerScale OneFS

9.3.0.0 through 9.3.0.7

Download and install the latest RUP.
> = 9.3.0.9

Any other version

See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates

CVE-2022-34444

PowerScale OneFS

9.2.1.0 through 9.2.1.16
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.5

Download and install the latest RUP.
> = 9.2.1.17
> = 9.3.0.9
> = 9.4.0.6

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-34445

PowerScale OneFS

9.1.0.0 through 9.1.0.20
9.2.1.0 through 9.2.1.13
9.3.0.0 through 9.3.0.7
9.4.0.0 through 9.4.0.4

Download and install the latest RUP.
> = 9.1.0.21
> = 9.2.1.14
> = 9.3.0.9
> = 9.4.0.5

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-34454

PowerScale OneFS

9.1.0.0 through 9.1.0.20
9.2.1.0 through 9.2.1.13
9.3.0.0 through 9.3.0.7

Download and install the latest RUP.
> = 9.1.0.21
> = 9.2.1.14
> = 9.3.0.9

Any other version

Upgrade your version of PowerScale OneFS.

Versiohistoria

Revision

Date

Description

1.0

202211-21

Initial Release

Asiaan liittyvät tiedot

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

21 marrask. 2022

Related news

CVE-2023-43074: DSA-2023-141: Dell Unity, Unity VSA and Unity XT Security Update for Multiple Vulnerability

Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.

CVE-2023-22130: Oracle Critical Patch Update Advisory - October 2023

Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

Red Hat Security Advisory 2023-4053-01

Red Hat Security Advisory 2023-4053-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.45. Issues addressed include a code execution vulnerability.

CVE-2023-28069: DSA-2022-258: Dell Streaming Data Platform Security Update for Multiple Third-Party Component Vulnerabilities

Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.

CVE-2022-46756: DSA-2022-335: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities

Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.

CVE-2022-34439: DSA-2022-245: Dell EMC PowerScale OneFS Security Update for Multiple Security Updates

Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service and performance issue on that node.

CVE-2022-34439: DSA-2022-245: Dell EMC PowerScale OneFS Security Update for Multiple Security Updates

Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service and performance issue on that node.

CVE-2022-34439: DSA-2022-245: Dell EMC PowerScale OneFS Security Update for Multiple Security Updates

Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service and performance issue on that node.

CVE-2022-34439: DSA-2022-245: Dell EMC PowerScale OneFS Security Update for Multiple Security Updates

Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service and performance issue on that node.

Red Hat Security Advisory 2022-6526-01

Red Hat Security Advisory 2022-6526-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.11.0 images: RHEL-8-CNV-4.11. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-6429-01

Red Hat Security Advisory 2022-6429-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include bypass, code execution, and denial of service vulnerabilities.

Red Hat Security Advisory 2022-5069-01

Red Hat Security Advisory 2022-5069-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.0. Issues addressed include code execution, cross site scripting, denial of service, information leakage, and traversal vulnerabilities.

Red Hat Security Advisory 2022-5070-01

Red Hat Security Advisory 2022-5070-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.0. Issues addressed include denial of service, out of bounds read, and traversal vulnerabilities.

RHSA-2022:5069: Red Hat Security Advisory: OpenShift Container Platform 4.11.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.11.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23566: nanoid: Information disclosure via valueOf() function * CVE-2021-23648: sanitize-url: XSS * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2021-44906:...

Red Hat Security Advisory 2022-5924-01

Red Hat Security Advisory 2022-5924-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring.

RHSA-2022:5132: Red Hat Security Advisory: RHACS 3.68 security update

Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug and security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1902: stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext

Red Hat Security Advisory 2022-4668-01

Red Hat Security Advisory 2022-4668-01 - Red Hat OpenShift Virtualization release 4.10.1 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

RHSA-2022:4668: Red Hat Security Advisory: OpenShift Virtualization 4.10.1 Images security and bug fix update

Red Hat OpenShift Virtualization release 4.10.1 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-36221: golang: net/http/httputil: panic due to racy read of persistConn after handler panic * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter

CVE-2022-24407: security - Fwd: Cyrus-SASL 2.1.28 released [fixes CVE-2022-24407 & CVE-2019-19906]

In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.

CVE-2020-9883: About the security content of macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE-2020-9918: About the security content of iOS 13.6 and iPadOS 13.6

An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907