|White Papers||Field Bulletins||CVE Database (login required)||Contact Us|
Our Security features are documented across various Product Documentation on our site. Here's a quick reference to our various Security sections.
Auto-on SafeMode is a Purity //FA feature enabled in 6.4.x intended to protect customers from ransomware attacks and allow them to recover. This feature is enabled for new workloads on arrays.
Security Bulletin for CVE-2023-29059 3CX Voice Over IP Desktop Client Supply Chain attack vulnerability
Pure Storage products/ and internal systems (supply chain) are not affected by the 3CX Voice Over IP Protocol (VOIP) Desktop Client vulnerability
Security Bulletin for CVE-2022-47939 Linux ksmbd Vulnerability ZDI-22-1690.
Pure Storage products and services are not affected by the Linux ksmbd vulnerability.
Security Bulletin for CVE-2022-42889 (Apache Commons Text) and CVE-2022-33980 (Apache Commons Configuration).
Pure Storage products are not affected by these two Apache Commons issues.
Security Bulletin for CVE-2022-37966 Native SMB or Kerebos NFS failes to authenticate with Active Directory.
Please see Security Bulletin for //FB with Native SMB or Kerberos-based NFS fails to authenticate with Active Directory After MS Kerberos Patch is Applied.
Updated Nov 19 2022. Please see Microsoft's updated guidance posted 18-Nov-2022 - Sign in failures and other issues related to Kerberos authentication which details mitigation steps.
Security Bulletin for CVE-2022-3786, CVE-2022-3602 OpenSSL v3.0.x
On October 25, 2022, the OpenSSL project announced that OpenSSL (v3.0.7) would be released to fix a serious security flaw. On November, 1st 2022 the OpenSSL Project disclosed CVE-2022-3786 and CVE-2022-3602 – potentially critical severity vulnerabilities present in OpenSSL 3.0.x. Pure's Product Security Incident Response Team (PSIRT) has been working with our various product engineering teams in an attempt to determine if Pure products are exposed to this issue (CVE-2022-3786 and CVE-2022-3602). Please see the following Interim Pure Storage Security Bulletin. This Interim Security Bulletin will continue to be updated as we identify any additional relevant information.
Security Advisory for CVE-2022-22965 Pure response to "SpingShell" or "Spring4Shell"
WAF rules mitigated against exploitation regarding the "Spring4Shell" Remote Code Execution Vulnerability (CVE-2022-22965).
Security Advisory for CVE-2021-44228 Pure response to Apache Log4j/Log4Shell
A self-service, online, non-disruptive patch to address the Log4j vulnerability (CVE-2021-44228) is now available.
What can we learn from the Log4j vulnerability CVE-2021-44228?
This informative guide provides insights on how to respond to significant industry wide security vulnerabilities such as Log4j.
Security Advisory for CVE-2022-0847 Pure response to "Dirty Pipe"
This advisory describes a Linux kernel privilege escalation vulnerability that allows a local user to gain super-user privileges. CVSS Base score 7.8 High (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (CVE-2022-0847)
Security Advisory for CVE-2022-32552, CVE-2022-32553, CVE-2022-32554, CVE-2021-44228 Critical Cumulative Security Bundle
A self-service, online, non-disruptive patch to address four distinct security concerns is NOW AVAILABLE. The issues affect only FlashArray and FlashBlade products; no other Pure Storage products or services are affected. The security bundle patch can be delivered via Pure1 for certain versions. Click here for the Security Bulletin and FAQ regarding this cumulative Security Bundle release.