Headline
CVE-2023-44295: DSA-2023-417: Dell PowerScale OneFS Security Updates for Multiple Security Vulnerabilities
Dell PowerScale OneFS versions 8.2.2.x through 9.6.0.x contains an improper control of a resource through its lifetime vulnerability. A low privilege attacker could potentially exploit this vulnerability, leading to loss of information, and information disclosure.
Impact
High
Details
Third-Party Component
CVE
CVSS Base Score
CVSS Vector String
OpenSSH
CVE-2023-38408
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Proprietary Code CVE(s)
Description
CVSS Base Score
CVSS Vector String
CVE-2023-44288
Dell PowerScale OneFS, 8.2.2.x through 9.6.0.x, contains an improper control of a resource through its lifetime vulnerability. An unauthenticated network attacker could potentially exploit this vulnerability, leading to denial of service.
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2023-44295
Dell PowerScale OneFS versions 8.2.2.x through 9.6.0.x contains an improper control of a resource through its lifetime vulnerability. A low privilege attacker could potentially exploit this vulnerability, leading to loss of information, and information disclosure.
6.3
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Proprietary Code CVE(s)
Description
CVSS Base Score
CVSS Vector String
CVE-2023-44288
Dell PowerScale OneFS, 8.2.2.x through 9.6.0.x, contains an improper control of a resource through its lifetime vulnerability. An unauthenticated network attacker could potentially exploit this vulnerability, leading to denial of service.
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2023-44295
Dell PowerScale OneFS versions 8.2.2.x through 9.6.0.x contains an improper control of a resource through its lifetime vulnerability. A low privilege attacker could potentially exploit this vulnerability, leading to loss of information, and information disclosure.
6.3
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.
Affected Products and Remediation
CVE(s) Addressed
Product
Affected Version(s)
Remediated Version(s)
Link
CVE-2023-38408
PowerScale OneFS
Version 9.4.0.0 through 9.4.0.15
Version 9.4.0.16 or later, RUP for version 9.5 is expected in January 2024.
PowerScale OneFS Downloads Area
CVE-2023-38408
PowerScale OneFS
Version 9.5.0.0 through 9.5.0.6
RUP for version 9.5 is expected in January 2024
PowerScale OneFS Downloads Area
CVE-2023-44295
PowerScale OneFS
Version 8.2.2.x through 9.6.0.x
None
Please refer to KB article : 000219929 : “SyncIQ and SmartSync do not preserve file quarantine attributes”
CVE-2023-44288
PowerScale OneFS
Version 8.2.2.x through 9.6.0.x
None
Please refer to KB article: 000219931 “NDMP does not automatically close the connection from the security scanner.”
CVE(s) Addressed
Product
Affected Version(s)
Remediated Version(s)
Link
CVE-2023-38408
PowerScale OneFS
Version 9.4.0.0 through 9.4.0.15
Version 9.4.0.16 or later, RUP for version 9.5 is expected in January 2024.
PowerScale OneFS Downloads Area
CVE-2023-38408
PowerScale OneFS
Version 9.5.0.0 through 9.5.0.6
RUP for version 9.5 is expected in January 2024
PowerScale OneFS Downloads Area
CVE-2023-44295
PowerScale OneFS
Version 8.2.2.x through 9.6.0.x
None
Please refer to KB article : 000219929 : “SyncIQ and SmartSync do not preserve file quarantine attributes”
CVE-2023-44288
PowerScale OneFS
Version 8.2.2.x through 9.6.0.x
None
Please refer to KB article: 000219931 “NDMP does not automatically close the connection from the security scanner.”
Any version prior to PowerScale OneFS version 9.4.0.16 not listed in the Affected Products and Remediation section should upgrade PowerScale OneFS to a version 9.4.0.16.
CVE-2023-38408: Customer on 9.6.0.x should upgrade to upcoming 9.7 release (Expected to release in December 2023). RUP for version 9.5 is expected in January 2024.
Workarounds and Mitigations
CVE
Workaround/mitigation
CVE-2023-38408
Please refer to the OpenSSH security advisory for a workaround.
Note: The user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE is potentially impacted.
CVE-2023-44295
Please refer the KB Link for mitigation.
CVE-2023-44288
Please refer the KB Link for mitigation.
Revision History
Revision
Date
Description
1.0
2023-12-05
Initial Release
Related Information
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
Related news
Red Hat Security Advisory 2023-5103-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.11.6 images.
Red Hat Security Advisory 2023-5029-01 - An update is now available for Red Hat OpenShift GitOps 1.9. Issues addressed include a denial of service vulnerability.
An update is now available for Red Hat OpenShift GitOps 1.9. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-40029: A flaw was found in the ArgoCD package, used by Red Hat GitOps, that allows cluster secrets to be managed declaratively using the `kubectl apply` functionality, resulting in the full secret body being stored in `kubectl.kubernetes.io/last-applied-configuration` annotation. Since ArgoCD has included the ability to manage cluster labels and annotations via i...
Red Hat Security Advisory 2023-4982-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.12.6 images.
Red Hat Security Advisory 2023-4972-01 - Multicluster Engine for Kubernetes 2.1.8 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a bypass vulnerability.
Multicluster Engine for Kubernetes 2.1.8 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated. * CVE-2023-37466: A flaw was found in the vm2 Promise handler sanitization, which allows attackers to esc...
Red Hat Security Advisory 2023-4889-01 - The DevWorkspace Operator extends OpenShift to provide DevWorkspace support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2023-4654-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.7 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-4650-01 - Multicluster Engine for Kubernetes 2.2.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Multicluster Engine for Kubernetes 2.2.7 General Availability release images, which provide security updates and fix bugs. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated. * CVE-2023-37903: A flaw was found in the vm2 custom inspect function, which allows attackers to escape t...