Security Bulletin for OpenSSL v3.0.7 (security-fix release)
On November 1st, 2022 the OpenSSL Project disclosed CVE-2022-3786 and CVE-2022-3602 – potentially critical severity vulnerabilities present in OpenSSL 3.0.x.
Pure's Product Security Incident Response Team (PSIRT) has been working with our various product engineering teams in an attempt to determine if Pure products are exposed to this issue (CVE-2022-3786 and CVE-2022-3602).
- The OpenSSL Project announced that OpenSSL Version 3.0.7 will be released on 2022-11-01 and will be labeled as a “security-fix release”, implying that the focus will be on remediation of vulnerabilities. The vulnerabilities fixed by that release are not present in any OpenSSL versions prior to v3.x.
- Pure Storage Purity Operating Environment (OE) software DOES NOT INCLUDE any OpenSSL v3.x software and thus Pure Storage products utilizing Purity (OE) software for FlashArray, FlashBlade and Pure Cloud Block Store ARE NOT AFFECTED.
- Pure Services Orchestrator, VM Analytics Collector, Virtual Appliance (OVA) and ActiveCluster On-Premises Mediator are not affected as they also do not include the vulnerable OpenSSL package.
- All Portworx products (PX Enterprise, BaaS, PDS, PX Backup/ PX Central Onprem, Cental SaaS and Pure Services Orchestrator (PSO) are all unaffected as they do not include the vulnerable OpenSSL package.
- Pure1, Pure1 Mobile Apps, Equinix (White Box), Fusion, Interlock (Pure1 in private datacenters) are all unaffected as they do not include the vulnerable OpenSSL package.
- FlashRecover is unaffected (See FlashBlade), and Cohesity OpenSSL Security Bulletin
At this time, this security bulletin is considered final. All Pure Storage products are unaffected by CVE-2022-3786 and CVE-2022-3602.
The announced vulnerabilities affect only OpenSSL v3.x and later.
Purity software does not include OpenSSL v3 and thus FlashArray, FlashBlade and Cloud Block Store products are not affected.
Pure Services Orchestrator, VM Analytics Collector, Virtual Appliance (OVA) and ActiveCluster On-Premises Mediator also are not affected because they do not include the vulnerable OpenSSL package.
No corrective action is required for any Pure products
"General" Mitigation Best Practices
Pure Storage recommends following network security best practices that minimize the risk of compromise due to these vulnerabilities:
Restrict management interfaces to a trusted set of networks. Please see Best practices on restricting public IP addresses. Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).
Restrict outbound Internet access to trusted destinations. Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 220.127.116.11/27 for outbound traffic. A firewall will need to permit inbound traffic for the established connection.
Pure Storage strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to management interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.
Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator.
Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns.
If you would like one of our engineers to assist you with this issue please call +1(866) 244-7121. If calling from outside the US here is a list of phone numbers: https://support.purestorage.com/Pure1/Support.
Support Escalation - How To Escalate a Case
If you believe that you may have been actively exploited, please call +1(866) 244-7121 and request for a Severity 1 case to be created.
For all other requests for assistance that are not an active Severity 1 / outage/ critical issue, please contact Pure Storage Technical Services for assistance.
If calling from outside the US here is a list of phone numbers: https://support.purestorage.com/Pure1/Support. Pure Storage customers can escalate cases in the following ways:
Call Pure Storage Support and ask to speak with the Support Manager on Duty.
PHONE (US) +1 (866) 244-7121 or +1 (650) 729-4088
PHONE (INTERNATIONAL) support.purestorage.com/pure1/support
Click the escalation link on one of the case emails. Every email from Pure Storage Support displays the following question near the bottom, including a dynamic link: “Not satisfied with the handling of this case? Click here to escalate.”
In the upper right-hand Pure1 Case Portal, click Escalate.
Please also see: Customer Escalation Procedures for additional information.