Skip to main content
Pure Technical Services

Security Bulletins

Currently viewing public documentation. Please login to access the full scope of documentation.

KP_Ext_Announcement.png

Please see below for the most recent security bulletins. The comprehensive security advisories list is available in our CVE Database.

Legend for Rating/Score:       9.0 - 10.0 Critical  ||        7.0 - 8.9 High  ||        4.0 - 6.9 Medium  ||        0.1 - 3.9 Low

Security Bulletins 

CVE Reference & CVSS 3.1 Score/Vector Description Product

CVE-2023-48795 -       5.9 Medium

CVE-2023-46445 -       5.9 Medium

CVE-2023-46446 -       6.8 Medium

Security Bulletin for Terrapin vulnerabilities

No corrective action is required for FlashBlade.

Refer Security Bulletin for FlashArray. 

CVE-2023-38545      9.8 Critical 

CVE-2023-38546      3.7 Low 

Security Bulletin for cURL and libcurl vulnerabilities  No corrective action is required for any Pure Storage products. 
CVE-2023-44487 -        7.5 High

Security Bulletin for HTTP/2 Rapid Reset Vulnerability - FlashBlade and FlashArray

No corrective action is required for FlashArray.

Refer Security Bulletin for FlashBlade. 

CVE-2022-40982 -       6.5 Medium Security Bulletin for Intel Downfall Vulnerability  No corrective action is required for any Pure Storage products. 

CVE-2023-34362 -       9.8 Critical

CVE-2023-35036 -       9.1 Critical

CVE-2023-35708 -       9.8 Critical

Security Bulletin for MOVEit Transfer Vulnerabilities No corrective action is required for any Pure Storage products.
CVE-2022-38023 -       8.1 High Security Bulletin Microsoft Netlogon RPC Elevation of Privilege Vulnerability CVE-2022-38023 FlashArray
CVE-2021-44228 -       9.6 Critical

Security Bulletin Log4j/Log4Shell CVE-2021-44228

What can we learn from the Log4j vulnerability CVE-2021-44228?

FlashArray, FlashBlade, CloudBlockStore, Portworx
CVE-2022-22965 -       9.8 Critical Security Bulletin SpingShell or Spring4Shell CVE-2022-22965 No corrective action is required for any Pure Storage Products.

CVE-2022-3786 -       7.5 High

CVE-2022-3602 -       7.5 High

Security Bulletin OpenSSL v3.0.x CVE-2022-3786, CVE-2022-3602 No corrective action is required for any Pure Storage Products.
CVE-2022-37966 -       8.1 High Security Bulletin Native SMB or Kerebos NFS fails to authenticate with Active Directory Please see Microsoft's updated guidance posted 18-Nov-2022 - Sign in failures and other issues related to Kerberos authentication which details mitigation steps.

CVE-2022-42889 -       9.8 Critical

CVE-2022-33980 -       9.8 Critical

Security Bulletin Apache Commons Text and Apache Commons Configuration CVE-2022-42889, CVE-2022-33980 No corrective action is required for any Pure Storage products.

CVE-2022-47939 -       9.8 Critical

ZDI-22-1690

ZDI-CAN-17816

Security Bulletin Linux ksmbd vulnerability ZDI-22-1690, ZDI-CAN-17816  No corrective action is required for any Pure Storage products.Pure does not include nor enable this service in any of our products.
CVE-2023-29059 -       7.8 High Security Bulletin 3CX Voice Over IP Protocol (VOIP) Client Supply Chain Attack No corrective action is required for any Pure Storage products.

 

CVEs Published by Pure Storage

CVE Reference & CVSS 3.1 Score/Vector Description Product

CVE-2023-36628 -       8.8 High 

Security Bulletin for FlashArray Privilege Escalation in VASA FlashArray
CVE-2023-36627 -       7.7 High  Security Bulletin for FlashBlade Snapshot Scheduler FlashBlade
CVE-2023-32572 -       6.5 Medium  Security Bulletin for FlashArray pgroup Retention Lock SafeMode Protection FlashArray
CVE-2023-31042 -       7.7 High  Security Bulletin for FlashBlade Object Store Protocol  FlashBlade
CVE-2023-28373 -       4.4 Medium  Security Bulletin FlashArray Safemode Immutable Vulnerability FlashArray
CVE-2023-28372 -       6.5 Medium  Security Bulletin FlashBlade Object Store Privileged Access Vulnerability CVE-2023-28372 FlashBlade