Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-22561: DSA-2022-002: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities

Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to compromised accounts.

CVE
#vulnerability#apache

Vaikutus

High

Tiedot

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2022-22561

Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to compromised accounts.

8.1

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CVE-2022-22549

Dell PowerScale OneFS, 8.2.x-9.3.x, contain an Improper Certificate Validation. A unauthenticated remote attacker may potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials.

7.5

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-22559

Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker may exploit this vulnerability, leading to the potential for information disclosure.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-22562

Dell PowerScale OneFS, versions 8.2.0-9.2.1.x, contain an improper handling of missing values vulnerability. An unauthenticated network attacker may potentially exploit this denial-of-service vulnerability.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-22560

Dell EMC PowerScale OneFS versions 8.1.x-9.2.1.x contain hard coded credentials. This may allow a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker may exploit this vulnerability to take the switch offline.

7.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CVE-2022-22550

Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain a password disclosure vulnerability. An unprivileged local attacker may potentially exploit this vulnerability, leading to account takeover.

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-22565

Dell PowerScale OneFS, versions 9.0.0-9.3.0 contain an improper authorization of index containing sensitive information. An authenticated and privileged user may potentially exploit this vulnerability, leading to disclosure or modification of sensitive data.

4.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Third-party Component

CVEs

More information

GNU gettext

CVE-2018-18751

https://nvd.nist.gov/vuln/detail/CVE-2018-18751
https://www.gnu.org/software/gettext/

OpenSSL

CVE-2021-3712

https://nvd.nist.gov/vuln/detail/CVE-2021-3712
https://www.openssl.org/news/secadv/20210824.txt

Apache

Multiple

https://httpd.apache.org/security/vulnerabilities_24.html

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2022-22561

Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to compromised accounts.

8.1

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CVE-2022-22549

Dell PowerScale OneFS, 8.2.x-9.3.x, contain an Improper Certificate Validation. A unauthenticated remote attacker may potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials.

7.5

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-22559

Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker may exploit this vulnerability, leading to the potential for information disclosure.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-22562

Dell PowerScale OneFS, versions 8.2.0-9.2.1.x, contain an improper handling of missing values vulnerability. An unauthenticated network attacker may potentially exploit this denial-of-service vulnerability.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-22560

Dell EMC PowerScale OneFS versions 8.1.x-9.2.1.x contain hard coded credentials. This may allow a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker may exploit this vulnerability to take the switch offline.

7.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CVE-2022-22550

Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain a password disclosure vulnerability. An unprivileged local attacker may potentially exploit this vulnerability, leading to account takeover.

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-22565

Dell PowerScale OneFS, versions 9.0.0-9.3.0 contain an improper authorization of index containing sensitive information. An authenticated and privileged user may potentially exploit this vulnerability, leading to disclosure or modification of sensitive data.

4.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Third-party Component

CVEs

More information

GNU gettext

CVE-2018-18751

https://nvd.nist.gov/vuln/detail/CVE-2018-18751
https://www.gnu.org/software/gettext/

OpenSSL

CVE-2021-3712

https://nvd.nist.gov/vuln/detail/CVE-2021-3712
https://www.openssl.org/news/secadv/20210824.txt

Apache

Multiple

https://httpd.apache.org/security/vulnerabilities_24.html

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen

CVEs Addressed

Affected Versions

Updated Versions

Link to Update

CVE-2022-22561

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

PowerScale OneFS Downloads Area

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2022-22549

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2022-22559

n/a

Upgrade your version of OneFS

9.3.0.x

Download and install the latest RUP

CVE-2022-22562

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x and 9.2.1.x

Download and install the latest RUP

CVE-2022-22560

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x and 9.2.1.x

Download and install the latest RUP

CVE-2022-22550

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2018-18751

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2021-3712

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

Apache: Multiple

8.2.x, 9.0.0.x, 9.1.1.x, 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, 9.3.0.x

Download and install the latest RUP

CVE-2022-22565

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.

CVEs Addressed

Affected Versions

Updated Versions

Link to Update

CVE-2022-22561

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

PowerScale OneFS Downloads Area

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2022-22549

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2022-22559

n/a

Upgrade your version of OneFS

9.3.0.x

Download and install the latest RUP

CVE-2022-22562

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x and 9.2.1.x

Download and install the latest RUP

CVE-2022-22560

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x and 9.2.1.x

Download and install the latest RUP

CVE-2022-22550

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2018-18751

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2021-3712

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

Apache: Multiple

8.2.x, 9.0.0.x, 9.1.1.x, 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, 9.3.0.x

Download and install the latest RUP

CVE-2022-22565

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.

Versiohistoria

Revision

Date

Description

1.0

2022-01-31

Initial Release

Asiaan liittyvät tiedot

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Tämän Dell Technologiesin tietoturvatiedotteen tiedot on luettava, ja niiden avulla voidaan välttää tilanteita, jotka voivat johtua tässä kuvatuista ongelmista. Dell Technologiesin tietoturvatiedotteet tuovat tärkeitä tietoturvatietoja haavoittuvuudelle alttiiden tuotteiden käyttäjien tietoon. Dell Technologies arvioi riskin perustuen asennettujen järjestelmien hajautetun joukon keskimääräisiin riskeihin, eikä se välttämättä vastaa paikallisen asennuksen ja yksittäisen ympäristön todellista riskiä. Suositus on, että kaikki käyttäjät ratkaisevat näiden tietojen sovellettavuuden yksittäisten ympäristöjen mukaan ja ryhtyvät tarvittaviin toimenpiteisiin. Tässä esitetyt tiedot annetaan “sellaisenaan” ilman minkäänlaista takuuta. Dell Technologies kiistää kaikki suorat tai epäsuorat takuut, mukaan lukien takuut soveltuvuudesta kaupankäynnin kohteeksi, sopivuudesta tiettyyn käyttötarkoitukseen, omistusoikeudesta ja loukkaamattomuudesta. Dell Technologies, sen tytäryhtiöt tai toimittajat eivät missään tilanteessa ole vastuussa mistään vahingoista, jotka johtuvat tässä asiakirjassa mainituista tiedoista tai toimenpiteistä, joihin käyttäjä päättää ryhtyä. Tämä koskee kaikkia suoria, epäsuoria, satunnaisia, välillisiä, liikevoiton menetykseen liittyviä tai erityisluontoisia vahinkoja, vaikka Dell Technologies tai sen tytäryhtiöt tai toimittajat olisivat saaneet tiedon tällaisten vahinkojen mahdollisuudesta. Jotkin osavaltiot eivät salli satunnaisten tai seuraamuksellisten vahinkojen vastuun poistamista tai rajoittamista, joten edellä mainittua rajoitusta sovelletaan vain lain sallimassa laajuudessa.

Related news

CVE-2022-29049: Jenkins Security Advisory 2022-04-12

Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not validate the names of promotions defined in Job DSL, allowing attackers with Job/Configure permission to create a promotion with an unsafe name.

CVE-2022-29051: Jenkins Security Advisory 2022-04-12

Missing permission checks in Jenkins Publish Over FTP Plugin 1.16 and earlier allow attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials.

CVE-2022-29036: Jenkins Security Advisory 2022-04-12

Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-29052: Jenkins Security Advisory 2022-04-12

Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CVE-2022-23161: DSA-2022-024: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities

Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contains a denial-of-service vulnerability in SmartConnect. An unprivileged network attacker could potentially exploit this vulnerability, leading to denial-of-service. (of course this is temporary and will need to be adapted/reviewed as we determine the CWE with Srisimha Tummala 's help)

CVE-2022-24248: Offensive Security’s Exploit Database Archive

RiteCMS version 3.1.0 and below suffers from an arbitrary file deletion via path traversal vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain web server security mechanisms such as deleting .htaccess file that would deactivate those security constraints.

CVE-2022-25796: Security Advisories | Autodesk Trust Center

A Double Free vulnerability allows remote malicious actors to execute arbitrary code on DWF file in Autodesk Navisworks 2022 within affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

CVE-2022-25794: Security Advisories | Autodesk Trust Center

An Out-Of-Bounds Read Vulnerability in Autodesk FBX Review version 1.5.2 and prior may lead to code execution through maliciously crafted ActionScript Byte Code “ABC” files or information disclosure. ABC files are created by the Flash compiler and contain executable code. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907