Security Advisory: Pure Response to CVE-2022-22965 "SpringShell" or "Spring4Shell"
CVE-2022-22965, also known as "SpringShell" or "Spring4Shell", describes a weakness in the Spring Framework that may make possible remote code execution on a vulnerable system. Multiple additional conditions must be true for the weakness to become a vulnerability. The Pure Storage PSIRT calculated a CVSS Base score of 8.1 High (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Pure Storage has confirmed that Pure1 was vulnerable to CVE-2022-22965, but WAF rules mitigated against exploitation. Pure1 was promptly remediated and is now fixed, but the WAF rules remain in place as an additional layer of protection.
No other Pure Storage product is affected by CVE-2022-22965.
| Product | Evaluated Version | Impact/Status | First Fixed Release |
Patch |
| FlashArray | Purity//FA 6.2.x | Not affected | ||
| FlashArray | Purity//FA 6.1.x | Not affected | ||
| FlashArray | Purity//FA 6.0.x | Not affected | ||
| FlashArray | Purity//FA 5.3.x | Not affected | ||
| Pure Cloud Block Store |
6.1.xPAZ |
Not affected | ||
| Pure Cloud Block Store | 6.1.xPAWS | Not affected | ||
| Pure Cloud Block Store | 6.2.xPAZ | Not affected | ||
| Pure Cloud Block Store | 6.2.xPAWS | Not affected | ||
| FlashBlade | Purity//FB 3.0.x (EOL) | Not affected | ||
| FlashBlade | Purity//FB 3.1.x | Not affected | ||
| FlashBlade | Purity//FB 3.2.x | Not affected | ||
| FlashBlade | Purity//FB 3.3.x | Not affected | ||
| Portworx | N/A | Not affected | ||
| Pure Services Orchestrator (PSO) | N/A | Not affected | ||
| Pure1 | N/A | Fixed | ||
| Pure1 Mobile Apps | N/A | Not affected | ||
| VM Analytics Collector |
3.1.8 |
Not affected | ||
| Virtual Appliance (OVA) | 3.4.0 | Not affected | ||
| Active Cluster On-Premises Mediator | N/A | Not affected |
Please contact Pure Storage Global Technical Services if you have any questions or concerns.
Thank you,
Pure Storage Global Technical Services