Skip to main content
Pure Technical Services

Security Advisory: Pure Response to CVE-2022-22965 "SpringShell" or "Spring4Shell"

Currently viewing public documentation. Please login to access the full scope of documentation.

CVE-2022-22965, also known as "SpringShell" or "Spring4Shell", describes a weakness in the Spring Framework that may make possible remote code execution on a vulnerable system. Multiple additional conditions must be true for the weakness to become a vulnerability. The Pure Storage PSIRT calculated a CVSS Base score of 8.1 High (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Pure Storage has confirmed that Pure1 was vulnerable to CVE-2022-22965, but WAF rules mitigated against exploitation. Pure1 was promptly remediated and is now fixed, but the WAF rules remain in place as an additional layer of protection.

No other Pure Storage product is affected by CVE-2022-22965.

Product Evaluated Version Impact/Status First Fixed Release


FlashArray Purity//FA 6.2.x Not affected    
FlashArray Purity//FA 6.1.x Not affected    
FlashArray Purity//FA 6.0.x Not affected    
FlashArray Purity//FA 5.3.x Not affected    
Pure Cloud Block Store


Not affected    
Pure Cloud Block Store 6.1.xPAWS Not affected    
Pure Cloud Block Store 6.2.xPAZ Not affected    
Pure Cloud Block Store 6.2.xPAWS Not affected    
FlashBlade Purity//FB 3.0.x (EOL) Not affected    
FlashBlade Purity//FB 3.1.x Not affected    
FlashBlade Purity//FB 3.2.x Not affected    
FlashBlade Purity//FB 3.3.x Not affected    
Portworx N/A Not affected    
Pure Services Orchestrator (PSO) N/A Not affected    
Pure1 N/A Fixed    
Pure1 Mobile Apps N/A Not affected    
VM Analytics Collector


Not affected    
Virtual Appliance (OVA) 3.4.0 Not affected    
Active Cluster On-Premises Mediator N/A Not affected    

Please contact Pure Storage Global Technical Services if you have any questions or concerns.

Thank you,

Pure Storage Global Technical Services