Skip to main content
Pure Technical Services

Security Advisory: Pure Response to CVE-2022-0847 "Dirty Pipe"

Currently viewing public documentation. Please login to access the full scope of documentation.

KP_Ext_Announcement.png

ps-logo-digital-om-dt-302x53-151a539.png

This interim status report will be updated on 2022-03-31.

CVE-2022-0847, also known as “Dirty Pipe”, describes a Linux kernel privilege escalation vulnerability that allows a local user to gain super-user privileges. CVSS Base score 7.8 High (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Pure Storage has confirmed that the following products are not affected: FlashArray, FlashBlade, Portworx, Pure Cloud Block Store, Pure Services Orchestrator, ActiveCluster On-Premises Mediator, VM Analytics Collector, Virtual Appliance (OVA) and the Pure1 mobile apps for Android and IOS.

Pure1 is partially affected: AMI services based on Ubuntu20 are affected and are being remediated. All other services are unaffected, including EKS and nodes.

Product Evaluated Version Impact/Status First Fixed Release Patch
FlashArray Purity//FA 5.3.x Not affected N/A

N/A

FlashArray Purity//FA 6.0.x Not affected N/A N/A
FlashArray Purity//FA 6.1.x Not affected N/A N/A
FlashArray Purity//FA 6.2.x Not affected N/A N/A
Pure Cloud Block Store 6.1.xPAZ Not affected N/A N/A
Pure Cloud Block Store 6.1.xPAWS Not affected N/A N/A
Pure Cloud Block Store 6.2.xPAZ Not affected N/A N/A
Pure Cloud Block Store 6.2.xPAWS Not affected N/A N/A
FlashBlade Purity//FB 3.0.x (EOL) Not affected N/A N/A
FlashBlade Purity//FB 3.1.x Not affected N/A N/A
FlashBlade Purity//FB 3.2.x Not affected N/A N/A
FlashBlade Purity//FB 3.3.x Not affected N/A N/A
Portworx N/A Not affected*** N/A N/A
Pure Services Orchestrator N/A Not affected*** N/A N/A
Pure1 N/A Partially Affected+++ N/A N/A
Pure1 Mobile Apps N/A Not affected N/A N/A
VM Analytics Collector N/A Not affected N/A N/A
Virtual Appliance (OVA) N/A Not affected N/A N/A
ActiveCluster On-Premises Mediator N/A Not affected N/A N/A

***The referenced Pure Storage product is a provided as a container and does not contain a kernel; thus it is not affected by this vulnerability. However, the host system might be affected. Pure Storage recommends that customers ensure the OS kernel is updated as soon as possible after their host provider makes a fixed version available.

+++AMI services based on Ubuntu20 are affected and are being remediated. All other services are unaffected, including EKS and nodes.Pure Storage recommends following network security best practices that reduce the risk of compromise of this type of vulnerability such as ensuring that your Pure Storage arrays are reachable only from authorized network addresses and hosts.

Please contact Pure Storage Global Technical Services if you have any questions or concerns.

Thank you,

Pure Storage Global Technical Services