Skip to main content
Contact Us
Register
Pure Technical Services

Security Bulletin for CVE-2022-42889 (Apache Commons Text) and CVE-2022-33980 (Apache Commons Configuration)

  1. Last updated
  2. Save as PDF

Currently viewing public documentation. Please login to access the full scope of documentation.

 

author_pureicon.png

Summary

Pure Software products are not affected by CVE-2022-42889 (Apache Commons Text) or CVE-2022-33980 (Apache Commons Configuration).

Details

Purity software for FlashArray and FlashBlade do contain the vulnerable software packages as specified by the Apache Project, but the exploitable functions are never used. Additional testing confirms this assessment. Regardless, the relevant packages will be updated as part of Pure's standard processes.

Corrective Action

No corrective action is required for any Pure Storage products.

General Mitigation Best Practices

Pure Storage recommends following network security best practices that minimize the risk of compromise:

  • Restrict management interfaces to a trusted set of networks. Please see Best practices on restricting public IP addresses. Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).

  • Restrict outbound Internet access to trusted destinations. Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 52.40.255.224/27 for outbound traffic. A firewall will need to permit inbound traffic for the established connection. 

  • Pure Storage strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to management interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.

  • Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator.  

  • Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns.

Contacting Support

If you would like one of our engineers to assist you with this issue please call +1 866-244-7121. If calling from outside the US here is a list of phone numbers:  https://support.purestorage.com/Pure1/Support.

Support Escalation - How To Escalate a Case  

If you believe that you may have been actively exploited, please call +1 866-244-7121 and request for a Severity 1 case to be created. 

For all other requests for assistance that are not an active Severity 1 / outage/ critical issue, please contact Pure Storage Technical Services for assistance.

If calling from outside the US here is a list of phone numbers: https://support.purestorage.com/Pure1/Support. Pure Storage customers can escalate cases in the following ways:

  • Call Pure Storage Support and ask to speak with the Support Manager on Duty.  

  • PHONE (US) +1 866-244-7121 or +1 650-729-4088

  • PHONE (INTERNATIONAL) support.purestorage.com/pure1/support 

  • Click the escalation link on one of the case emails. Every email from Pure Storage Support displays the following question near the bottom, including a dynamic link: “Not satisfied with the handling of this case? Click here to escalate.”

  • In the upper right-hand Pure1 Case Portal, click Escalate.

Please also see:  Customer Escalation Procedures for additional information.