Security Advisory: Pure Response to CVE-2022-0847 "Dirty Pipe"

Security Bulletins

Audience
Public
Product
FlashBlade
FlashArray
FlashBlade > Purity//FB
FlashArray > Purity//FA
Portworx
Source Type
Documentation

This interim status report will be updated on 2022-03-31.

CVE-2022-0847, also known as “Dirty Pipe”, describes a Linux kernel privilege escalation vulnerability that allows a local user to gain super-user privileges. CVSS Base score 7.8 High (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Everpure has confirmed that the following products are not affected: FlashArray, FlashBlade, Portworx, Everpure Cloud Dedicated, Pure Services Orchestrator, ActiveCluster On-Premises Mediator, VM Analytics Collector, Virtual Appliance (OVA) and the Pure1 mobile apps for Android and IOS.

Pure1 is partially affected: AMI services based on Ubuntu20 are affected and are being remediated. All other services are unaffected, including EKS and nodes.

Product

Evaluated Version

Impact/Status

First Fixed Release

Patch

FlashArray

Purity//FA 5.3.x

Not affected

N/A

N/A

FlashArray

Purity//FA 6.0.x

Not affected

N/A

N/A

FlashArray

Purity//FA 6.1.x

Not affected

N/A

N/A

FlashArray

Purity//FA 6.2.x

Not affected

N/A

N/A

Everpure Cloud Dedicated

6.1.xPAZ

Not affected

N/A

N/A

Everpure Cloud Dedicated

6.1.xPAWS

Not affected

N/A

N/A

Everpure Cloud Dedicated

6.2.xPAZ

Not affected

N/A

N/A

Everpure Cloud Dedicated

6.2.xPAWS

Not affected

N/A

N/A

FlashBlade

Purity//FB 3.0.x (EOL)

Not affected

N/A

N/A

FlashBlade

Purity//FB 3.1.x

Not affected

N/A

N/A

FlashBlade

Purity//FB 3.2.x

Not affected

N/A

N/A

FlashBlade

Purity//FB 3.3.x

Not affected

N/A

N/A

Portworx

N/A

Not affected***

N/A

N/A

Pure Services Orchestrator

N/A

Not affected***

N/A

N/A

Pure1

N/A

Partially Affected+++

N/A

N/A

Pure1 Mobile Apps

N/A

Not affected

N/A

N/A

VM Analytics Collector

N/A

Not affected

N/A

N/A

Virtual Appliance (OVA)

N/A

Not affected

N/A

N/A

ActiveCluster On-Premises Mediator

N/A

Not affected

N/A

N/A

***The referenced Everpure product is a provided as a container and does not contain a kernel; thus it is not affected by this vulnerability. However, the host system might be affected. Everpure recommends that customers ensure the OS kernel is updated as soon as possible after their host provider makes a fixed version available.

+++AMI services based on Ubuntu20 are affected and are being remediated. All other services are unaffected, including EKS and nodes.Everpure recommends following network security best practices that reduce the risk of compromise of this type of vulnerability such as ensuring that your Everpure arrays are reachable only from authorized network addresses and hosts.

Please contact Everpure Technical Services if you have any questions or concerns.

Thank you,

Everpure Global Technical Services

CVE-2022-0847, also known as “Dirty Pipe”, describes a Linux kernel privilege escalation vulnerability that allows a local user to gain super-user privileges. Everpure has confirmed that the following products are not affected: FlashArray, FlashBlade, Portworx, Everpure Cloud Dedicated, Pure Services Orchestrator and the VM Analytics Collector (OVA).