Please contact psirt@purestorage.com or via Slack #psirt-request with any questions or concerns.
For current remediation status refer to ATOM Dashboard.
Summary
Improper input validation performed during the authentication process of FlashArray could lead to a system "Denial of Service”.
| CVE | Base CVSS 4.0 Score | Severity | Vector |
|---|---|---|---|
| CVE-2025-0051 | 8.7 | High | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
-
Purity//FA 5.0.0 - 5.0.11 (EOL)
-
Purity//FA 5.1.1 - 5.1.17 (EOL)
-
Purity//FA 5.2.0 - 5.2.7 (EOL)
-
Purity//FA 5.3.0 - 5.3.21 (EOL)
-
Purity//FA 6.0.0 - 6.0.9 (EOL)
-
Purity//FA 6.1.0 - 6.1.25 (EOL)
-
Purity//FA 6.2.0 - 6.2.17 (EOL)
-
Purity//FA 6.3.0 - 6.3.20
-
Purity//FA 6.4.0 - 6.4.10 (EOL)
-
Purity//FA 6.5.0 - 6.5.9
-
Purity//FA 6.6.0 - 6.6.11
-
Purity//FA 6.7.0 - 6.7.1
-
Purity//FA 6.8.0 - 6.8.2
This includes Cloud Block Store (CBS) arrays running the above vulnerable versions.
Corrective Action
Affected customers will need to apply a self-service patch or upgrade their Purity to an unaffected Purity version.
-
Purity//FA 6.5.10 or later
-
Purity//FA 6.7.2 or later
-
Purity//FA 6.8.3 or later
Customers on End-Of-Life (EOL) Purity versions are highly encouraged to upgrade to a supported version which contains the above fix.
FA Purity 6.5.10 will be released around March 11, 2025.
Mitigating Controls/Corrective Action
- Restrict array access to only trusted users. Everpure strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to management interfaces
-
Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator
-
Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns
Contacting Support
If you need assistance with this issue, please call Technical Services at +1 866-244-7121. If calling from outside the US, please select from the list of phone numbers here: Contact Us.
-
Apply a Pure1 online, self-service opt-in security patch bundle (preferred method).
-
Follow steps here for FlashArray.
-
Please be aware that security-patch-fa-2025-A will contain the previous years security bundle (security-bundle-fa-2024-01-15), for customers who have not yet applied it. For information on the prior patch, please refer to Security Bulletin for 2024 January FlashArray and FlashBlade Security Vulnerabilities.
-
-
Purity upgrade to an unaffected Purity release.
-
Purity//FA 6.5.10 or later
-
Purity//FA 6.7.2 or later
-
Purity//FA 6.8.3 or later
Support Escalation - How To Escalate a C+ase
Please see Customer Escalation Procedures & Contact Pure Security for additional information.