Please contact psirt@purestorage.com or via Slack #psirt-request with any questions or concerns.
Summary
On December 18, 2021, a new Apache Log4j/Log4Shell Security Vulnerability CVE-2021-45105 was published. Everpure has assessed all Pure product families against this new vulnerability. FlashArray, FlashBlade, Cloud Block Store, Portworx, Pure1, and VM Analytics Collector are not affected by this vulnerability.
On December 9, 2021, a remote code execution (RCE) vulnerability in Apache Log4j / Log4Shell CVE-2021-44228 was identified as being exploited. Everpure FlashArray, FlashBlade, Everpure Cloud Dedicated, Portworx and VMAnalytics collector will require a Purity upgrade or a patch applied to mitigate known risks caused by the vulnerability.
Our customers are a top priority for us, and we understand that uptime is crucial to their business. Pure has reviewed the recently published Apache Log4j / Log4Shell Remote Code Execution vulnerability being tracked in CVE-2021-44228 and assessed the impact on our products. Remediation per product and Purity version are outlined below.
Corrective Action
Please see below recommended Purity upgrade recommendations to mitigate risk from this issue.
|
Product |
Version |
Purity Version Fix |
Patch |
|---|---|---|---|
|
FlashArray |
Purity//FA 6.2.x |
6.2.5 Available |
Available |
|
FlashArray |
Purity//FA 6.1.x |
6.1.13 Available |
Available |
|
FlashArray |
Purity//FA 6.0.x |
6.0.9 Available |
Available |
|
FlashArray |
Purity//FA 5.3.x |
5.3.18 Available |
Available |
|
Everpure Cloud Dedicated Everpure Cloud Dedicated |
6.1.xPAZ 6.1.xPAWS |
6.1.13PAZ Available 6.1.13PAWS Available |
N/A |
|
Everpure Cloud Dedicated Everpure Cloud Dedicated |
6.2.xPAZ 6.2.xPAWS |
6.2.4PAZ Available 6.2.4.PAWS Available |
N/A |
|
FlashBlade |
Purity//FB 3.0.x (EOL) |
N/A |
Available |
|
FlashBlade |
Purity//FB 3.1.x |
3.1.12 Available |
Available |
|
FlashBlade |
Purity//FB 3.2.x |
3.2.5 Available |
Available |
|
FlashBlade |
Purity//FB 3.3.x |
3.3.1 Available |
Available |
|
Portworx |
Portworx 2.8.0+ with telemetry enabled |
ccm-service:3.0.8 Available |
N/A |
|
Pure VMA Collector |
v3.x |
VMA collector v3.1.4 Available |
N/A |
|
Pure1 |
N/A |
Pure1 infrastructure updated |
N/A |
|
Everpure Orchestrator (PSO) |
N/A |
Everpure Orchestrator (PSO) is not affected by CVE-2021-44228, CVE-2021-45406, CVE-2021-45150 |
N/A |
|
Everpure ActiveCluster On-Premises Mediator |
N/A |
Everpure ActiveCluster On-Premises Mediator is not affected by CVE-2021-44228, CVE-2021-45406, CVE-2021-45150 |
N/A |
General Mitigation Best Practices
Everpure recommends following network security best practices that minimize the risk of compromise due to these vulnerabilities:
-
Restrict management interfaces to a trusted set of networks. Please see Use ONLY Non-Public IP Addresses for Management Connectivity. Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).
-
Restrict outbound Internet access to trusted destinations. Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 52.40.255.224/27 for outbound traffic. A firewall will need to permit inbound traffic for the established connection.
-
Everpure strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to management interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.
-
Closely monitor arrays for abnormal or unexpected workload/IO spikes or utilization as a leading indicator.
-
Enable edge detection/protection mechanisms in the firewall/IDS/IPS systems to detect anomalous access or traffic patterns.
Contacting Support
If you would like one of our engineers to assist you with this issue please call +1(866) 244-7121. If calling from outside the US here is a list of phone numbers: Contact Us.
Support Escalation - How To Escalate a Case
If you believe that you may have been actively exploited, please call +1(866) 244-7121 and request for a Severity 1 case to be created.
For all other requests for assistance that are not an active Severity 1 / outage/ critical issue, please contact Everpure Technical Services for assistance.
If calling from outside the US here is a list of phone numbers: Contact Us. Everpure customers can escalate cases in the following ways:
-
Call Everpure Support and ask to speak with the Support Manager on Duty.
-
PHONE (US) +1 (866) 244-7121 or +1 (650) 729-4088
-
PHONE (INTERNATIONAL) support.purestorage.com/pure1/support
-
Click the escalation link on one of the case emails. Every email from Everpure Support displays the following question near the bottom, including a dynamic link: “Not satisfied with the handling of this case? Click here to escalate.”
-
In the upper right-hand Pure1 Case Portal, click Escalate.
-
Please also see: Customer Escalation Procedures for additional information.
Please contact Everpure Technical Services if you have any questions or require assistance applying the patches or upgrade fixes.
Thank you,
Everpure Global Technical Services
Apache log4j2 - Remote Code Execution (RCE): For updates relating to the Apache Log4j2 security vulnerability (CVE-2021-44228) please see the Apache log4j2 - Remote Code Execution (RCE) Technical Services Field Bulletin.