Skip to main content
Pure Technical Services

Security Bulletin "SpringShell" or "Spring4Shell" CVE-2022-22965

Currently viewing public documentation. Please login to access the full scope of documentation.

KP_Ext_Announcement.png

Summary 

CVE-2022-22965, also known as "SpringShell" or "Spring4Shell", describes a weakness in the Spring Framework that may make possible remote code execution on a vulnerable system. Multiple additional conditions must be true for the weakness to become a vulnerability. The Pure Storage PSIRT calculated a CVSS Base score of 8.1 High (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Corrective ActionEdit section

No corrective action is required for any Pure Storage products.

Pure Storage has confirmed that Pure1 was vulnerable to CVE-2022-22965, but WAF rules mitigated against exploitation. Pure1 was promptly remediated and is now fixed, but the WAF rules remain in place as an additional layer of protection.

No other Pure Storage product is affected by CVE-2022-22965.

Product Evaluated Version Impact/Status
FlashArray Purity//FA 6.2.x Not affected
FlashArray Purity//FA 6.1.x Not affected
FlashArray Purity//FA 6.0.x Not affected
FlashArray Purity//FA 5.3.x Not affected
Pure Cloud Block Store

6.1.xPAZ

Not affected
Pure Cloud Block Store 6.1.xPAWS Not affected
Pure Cloud Block Store 6.2.xPAZ Not affected
Pure Cloud Block Store 6.2.xPAWS Not affected
FlashBlade Purity//FB 3.0.x (EOL) Not affected
FlashBlade Purity//FB 3.1.x Not affected
FlashBlade Purity//FB 3.2.x Not affected
FlashBlade Purity//FB 3.3.x Not affected
Portworx N/A Not affected
Pure Services Orchestrator (PSO) N/A Not affected
Pure1 N/A Fixed
Pure1 Mobile Apps N/A Not affected
VM Analytics Collector

3.1.8

Not affected
Virtual Appliance (OVA) 3.4.0 Not affected
Active Cluster On-Premises Mediator N/A Not affected

General Mitigation Best Practices

Pure Storage recommends following network security best practices that minimize the risk of compromise:

  • Restrict management interfaces to a trusted set of networks. Please see Best practices on restricting public IP addresses. Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).

  • Restrict outbound Internet access to trusted destinations. Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 52.40.255.224/27 for outbound traffic. A firewall will need to permit inbound traffic for the established connection. 

  • Pure Storage strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to management interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.

  • Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator.  

  • Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns.

Contacting Support

If you would like one of our engineers to assist you with this issue please call +1 866-244-7121. If calling from outside the US here is a list of phone numbers:  https://support.purestorage.com/Pure1/Support.

Thank you,

Pure Storage Global Technical Services