Dell PowerScale OneFS Security Update for Multiple Vulnerabilities [CVE-2021-36305 & CVE-2021-29626]

CVE numbers – CVE-2021-36305 and CVE-2021-29626

CVE-2021-36305

Dell PowerScale OneFS contains an Unsynchronized Access to Shared Data in a Multithreaded Context in SMB CA handling. An authenticated user of SMB on a cluster with CA may potentially exploit this vulnerability, leading to a denial of service over SMB.

To fix this issue Upgrade your version of OneFS – Download updates from – https://www.dell.com/support/home/en-ie/product-support/product/isilon-onefs/drivers

Workarounds or Mitigations

Disabling Continuous Availability (CA) on all SMB shares that has it enabled prevents the issue.

CVE-2021-29626

FreeBSD – In OneFS, a copy-on-write logic failed to invalidate shared memory page mappings between multiple processes which amy allow an unprivileged process to maintain a mapping after it is freed, allowing the process to read private data belonging to other processes or the kernel.

To fix this issue Upgrade your version of OneFS – Download updates from – https://www.dell.com/support/home/en-ie/product-support/product/isilon-onefs/drivers

Workarounds or Mitigations

Disallow ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_LOGIN_SSH privileges to non-administrative users.