Skip to main content
Pure Technical Services

Security Advisory: Pure Response to Log4j / Log4Shell

Currently viewing public documentation. Please login to access the full scope of documentation.

ps-logo-digital-om-dt-302x53-151a539.png

On December 18, 2021, a new Apache Log4j/Log4Shell Security Vulnerability CVE-2021-45105 was published.  Pure Storage has assessed all Pure product families against this new vulnerability.  FlashArray, FlashBlade, Cloud Block Store, Portworx, Pure1, and VM Analytics Collector are not affected by this vulnerability.

On December 9, 2021, a remote code execution (RCE) vulnerability in Apache Log4j / Log4Shell  CVE-2021-44228  was identified as being exploited.  Pure Storage FlashArray, FlashBlade, Pure Cloud Block Store, Portworx and VMAnalytics collector will require a Purity upgrade or a patch applied to mitigate known risks caused by the vulnerability.  

Our customers are a top priority for us, and we understand that uptime is crucial to their business.  Pure has reviewed the recently published Apache Log4j / Log4Shell Remote Code Execution vulnerability being tracked in CVE-2021-44228 and assessed the impact on our products.  Remediation per product and Purity version are outlined below.

Pure Storage recommends following network security best practices that minimize the risk of compromise due to this vulnerability including, but not limited to:

  • Restrict management interfaces to a trusted set of networks. Please see Best practices on restricting public IP addresses.  Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).
  • Restrict outbound Internet access to trusted destinations.  Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 52.40.255.224/27 only for outbound traffic and your firewall will need to accept inbound traffic for the established connection. 
  • Pure Storage strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to administrative login interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.
  • Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator.  
  • Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns.
Product Version Purity Version Fix Patch
FlashArray Purity//FA 5.3.x 5.3.18 Available Available
FlashArray Purity//FA 6.0.x 6.0.9 Available Available
FlashArray Purity//FA 6.1.x 6.1.13 Available Available
FlashArray Purity//FA 6.2.x 6.2.4 Available  Available
Pure Cloud Block Store 
Pure Cloud Block Store
6.1.xPAZ
6.1.xPAWS
6.1.13PAZ Available
6.1.13PAWS Available
N/A
Pure Cloud Block Store
Pure Cloud Block Store
6.2.xPAZ
6.2.xPAWS
6.2.4PAZ Available
6.2.4.PAWS Available
N/A
FlashBlade Purity//FB 3.0.x (EOL) N/A Available
FlashBlade Purity//FB 3.1.x 3.1.12 Available Available
FlashBlade Purity//FB 3.2.x 3.2.5 Available Available
FlashBlade Purity//FB 3.3.x 3.3.1 Available Available
Portworx Portworx 2.8.0+ with telemetry enabled ccm-service:3.0.8 Available N/A
Pure VMA Collector v3.x VMA collector v3.1.4 Available N/A
Pure1 N/A

Pure1 infrastructure updated

N/A
Pure Storage Orchestrator (PSO) N/A Pure Storage Orchestrator (PSO) is not affected by CVE-2021-44228, CVE-2021-45406, CVE-2021-45150 N/A
Pure Storage ActiveCluster On-Premises Mediator N/A Pure Storage ActiveCluster On-Premises Mediator is not affected by CVE-2021-44228, CVE-2021-45406, CVE-2021-45150 N/A

 

Please contact  Pure Storage Global Technical Services if you have any questions or require assistance applying the patches or upgrade fixes.

Thank you,

Pure Storage Global Technical Services