Skip to main content
Pure Technical Services

Security Bulletin for OpenSSL v3.0.7 (security-fix release)

Currently viewing public documentation. Please login to access the full scope of documentation.

KP_Ext_Announcement.png

Summary

  • On November 1st, 2022 the OpenSSL Project disclosed CVE-2022-3786 and CVE-2022-3602 – potentially critical severity vulnerabilities present in OpenSSL 3.0.x.

  • Pure's Product Security Incident Response Team (PSIRT) has been working with our various product engineering teams in an attempt to determine if Pure products are exposed to this issue (CVE-2022-3786 and CVE-2022-3602).

  • The OpenSSL Project announced that OpenSSL Version 3.0.7 will be released on 2022-11-01 and will be labeled as a “security-fix release”, implying that the focus will be on remediation of vulnerabilities.  The vulnerabilities fixed by that release are not present in any OpenSSL versions prior to v3.x.
    • Pure Storage Purity Operating Environment (OE) software DOES NOT INCLUDE any OpenSSL v3.x software and thus Pure Storage products utilizing Purity (OE) software for FlashArray, FlashBlade and Pure Cloud Block Store ARE NOT AFFECTED.
    • Pure Services Orchestrator, VM Analytics Collector, Virtual Appliance (OVA) and ActiveCluster On-Premises Mediator are not affected as they also do not include the vulnerable OpenSSL package.
    • All Portworx products (PX Enterprise, BaaS, PDS, PX Backup/ PX Central Onprem, Cental SaaS and Pure Services Orchestrator (PSO) are all unaffected as they do not include the vulnerable OpenSSL package.
    • Pure1, Pure1 Mobile Apps, Equinix (White Box), Fusion, Interlock (Pure1 in private datacenters) are all unaffected as they do not include the vulnerable OpenSSL package.
    • Pure Storage® FlashBlade//S™ with Cohesity® Data Protect™ is unaffected (See FlashBlade), and Cohesity OpenSSL Security Bulletin 

At this time, this security bulletin is considered final.  All Pure Storage products are unaffected by CVE-2022-3786 and CVE-2022-3602.

Details

  • The announced vulnerabilities affect only OpenSSL v3.x and later.

  • Purity software does not include OpenSSL v3 and thus FlashArray, FlashBlade and Cloud Block Store products are not affected.

  • Pure Services Orchestrator, VM Analytics Collector, Virtual Appliance (OVA) and ActiveCluster On-Premises Mediator also are not affected because they do not include the vulnerable OpenSSL package.

Corrective Action

  • No corrective action is required for any Pure products

"General" Mitigation Best Practices

Pure Storage recommends following network security best practices that minimize the risk of compromise due to these vulnerabilities:

  • Restrict management interfaces to a trusted set of networks. Please see Best practices on restricting public IP addresses. Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).

  • Restrict outbound Internet access to trusted destinations. Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 52.40.255.224/27 for outbound traffic. A firewall will need to permit inbound traffic for the established connection. 

  • Pure Storage strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to management interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.

  • Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator.  

  • Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns.

Contacting Support

If you would like one of our engineers to assist you with this issue please call +1(866) 244-7121. If calling from outside the US here is a list of phone numbers:  https://support.purestorage.com/Pure1/Support.