Skip to main content
Contact Us
Register
Pure Technical Services

Pure Security

  1. Last updated
  2. Save as PDF

Currently viewing public documentation. Please login to access the full scope of documentation.

Pure Security
Here at Pure Storage, we are driven by storage and our passion for security. Learn more about how our security DNA gives you peace of mind over your data security program.
Quick Links
White Papers Field Bulletins CVE Database (login required) Contact Us

Security Documentation 

Our Security features are documented across various Product Documentation on our site. Here's a quick reference to our various Security sections.

FlashArray Security Documentation

Additional Reference:

FlashBlade Security Documentation

Customers should feel comfortable that their data is stored safely. Here is some documentation on FlashBlade Security.

All blades that are returned to Pure undergo a stress test which erases and overwrites the data in every block within the NAND. Any blade that does not pass the stress test (broken, too worn, etc) is destroyed. We also offer a non-return option. This is more expensive to the customer as Pure does not get the blade returned. The support process for determining broken parts is the same except the customer would be responsible for the destruction of the non-returned part.

Additional Reference:

Pure1 Security Documentation
Portworx Security Documentation
Enterprise Security Documentation

Security Bulletins

 

Auto-On Safemode

Auto-on SafeMode is a Purity //FA feature enabled in 6.4.x intended to protect customers from ransomware attacks and allow them to recover.  This feature is enabled for new workloads on arrays.

Security Bulletin for CVE-2023-29059 3CX Voice Over IP Desktop Client Supply Chain attack vulnerability

Pure Storage products/ and internal systems (supply chain) are not affected by the 3CX Voice Over IP Protocol (VOIP) Desktop Client vulnerability 

Security Bulletin for CVE-2022-47939 Linux ksmbd Vulnerability ZDI-22-1690.

Pure Storage products and services are not affected by the Linux ksmbd vulnerability. 

Security Bulletin for CVE-2022-42889 (Apache Commons Text) and CVE-2022-33980 (Apache Commons Configuration).

Pure Storage products are not affected by these two Apache Commons issues. 

Security Bulletin for CVE-2022-37966 Native SMB or Kerebos NFS failes to authenticate with Active Directory.

Please see Security Bulletin for //FB with Native SMB or Kerberos-based NFS fails to authenticate with Active Directory After MS Kerberos Patch is Applied

Updated Nov 19 2022.  Please see Microsoft's updated guidance posted 18-Nov-2022 - Sign in failures and other issues related to Kerberos authentication which details mitigation steps.

Security Bulletin for CVE-2022-3786, CVE-2022-3602 OpenSSL v3.0.x

On October 25, 2022, the OpenSSL project announced that OpenSSL (v3.0.7) would be released to fix a serious security flaw.  On November, 1st 2022 the OpenSSL Project disclosed CVE-2022-3786 and CVE-2022-3602  – potentially critical severity vulnerabilities present in OpenSSL 3.0.x.  Pure's Product Security Incident Response Team (PSIRT) has been working with our various product engineering teams in an attempt to determine if Pure products are exposed to this issue (CVE-2022-3786 and CVE-2022-3602).  Please see the following Interim Pure Storage Security Bulletin.  This Interim Security Bulletin will continue to be updated as we identify any additional relevant information.

Security Advisories

Security Advisory for CVE-2022-22965 Pure response to "SpingShell" or "Spring4Shell"

WAF rules mitigated against exploitation regarding the "Spring4Shell" Remote Code Execution Vulnerability (CVE-2022-22965).

Security Advisory for CVE-2021-44228 Pure response to Apache Log4j/Log4Shell

A self-service, online, non-disruptive patch to address the Log4j vulnerability (CVE-2021-44228) is now available.

What can we learn from the Log4j vulnerability CVE-2021-44228?

This informative guide provides insights on how to respond to significant industry wide security vulnerabilities such as Log4j.

clipboard_eabc359c3af58b171e2b6ea5f525ec5b9.png

Security Advisory for CVE-2022-0847 Pure response to "Dirty Pipe"

This advisory describes a Linux kernel privilege escalation vulnerability that allows a local user to gain super-user privileges. CVSS Base score 7.8 High (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).  (CVE-2022-0847)

Security Advisory for CVE-2022-32552, CVE-2022-32553, CVE-2022-32554, CVE-2021-44228 Critical Cumulative Security Bundle 

A self-service, online, non-disruptive patch to address four distinct security concerns is NOW AVAILABLE. The issues affect only FlashArray and FlashBlade products; no other Pure Storage products or services are affected.  The security bundle  patch can be delivered via Pure1 for certain versions. Click here for the Security Bulletin and FAQ regarding this cumulative Security Bundle release.