Security Advisory: Pure Response to CVE-2022-0847 "Dirty Pipe"
This interim status report will be updated on 2022-03-31.
CVE-2022-0847, also known as “Dirty Pipe”, describes a Linux kernel privilege escalation vulnerability that allows a local user to gain super-user privileges. CVSS Base score 7.8 High (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Pure Storage has confirmed that the following products are not affected: FlashArray, FlashBlade, Portworx, Pure Cloud Block Store, Pure Services Orchestrator, ActiveCluster On-Premises Mediator, VM Analytics Collector, Virtual Appliance (OVA) and the Pure1 mobile apps for Android and IOS.
Pure1 is partially affected: AMI services based on Ubuntu20 are affected and are being remediated. All other services are unaffected, including EKS and nodes.
Product | Evaluated Version | Impact/Status | First Fixed Release | Patch |
FlashArray | Purity//FA 5.3.x | Not affected | N/A |
N/A |
FlashArray | Purity//FA 6.0.x | Not affected | N/A | N/A |
FlashArray | Purity//FA 6.1.x | Not affected | N/A | N/A |
FlashArray | Purity//FA 6.2.x | Not affected | N/A | N/A |
Pure Cloud Block Store | 6.1.xPAZ | Not affected | N/A | N/A |
Pure Cloud Block Store | 6.1.xPAWS | Not affected | N/A | N/A |
Pure Cloud Block Store | 6.2.xPAZ | Not affected | N/A | N/A |
Pure Cloud Block Store | 6.2.xPAWS | Not affected | N/A | N/A |
FlashBlade | Purity//FB 3.0.x (EOL) | Not affected | N/A | N/A |
FlashBlade | Purity//FB 3.1.x | Not affected | N/A | N/A |
FlashBlade | Purity//FB 3.2.x | Not affected | N/A | N/A |
FlashBlade | Purity//FB 3.3.x | Not affected | N/A | N/A |
Portworx | N/A | Not affected*** | N/A | N/A |
Pure Services Orchestrator | N/A | Not affected*** | N/A | N/A |
Pure1 | N/A | Partially Affected+++ | N/A | N/A |
Pure1 Mobile Apps | N/A | Not affected | N/A | N/A |
VM Analytics Collector | N/A | Not affected | N/A | N/A |
Virtual Appliance (OVA) | N/A | Not affected | N/A | N/A |
ActiveCluster On-Premises Mediator | N/A | Not affected | N/A | N/A |
***The referenced Pure Storage product is a provided as a container and does not contain a kernel; thus it is not affected by this vulnerability. However, the host system might be affected. Pure Storage recommends that customers ensure the OS kernel is updated as soon as possible after their host provider makes a fixed version available.
+++AMI services based on Ubuntu20 are affected and are being remediated. All other services are unaffected, including EKS and nodes.Pure Storage recommends following network security best practices that reduce the risk of compromise of this type of vulnerability such as ensuring that your Pure Storage arrays are reachable only from authorized network addresses and hosts.
Please contact Pure Storage Global Technical Services if you have any questions or concerns.
Thank you,
Pure Storage Global Technical Services