Security Bulletin for 2024 January FlashArray and FlashBlade Security Vulnerabilities

Security Bulletins

Audience
Public
Product
FlashBlade
FlashArray
FlashBlade > Purity//FB
FlashArray > Purity//FA
Portworx
Source Type
Documentation

Product Specific Resources

Note:

For current remediation status refer to FlashArray ATOM Dashboard and FlashBlade ALOHA Dashboard

Summary

Everpure has identified multiple security vulnerabilities affecting both FlashArray™ and FlashBlade® Purity releases.

CVE

Description

CVSS Score

First Found (Affected versions)

CVE-2024-0001

A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated privileges.

10.0 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

FlashArray:

  • Purity//FA 6.3.0 - 6.3.14
  • Purity//FA 6.4.0 - 6.4.10

FlashBlade is not affected.

CVE-2024-0002

A condition exists in FlashArray Purity whereby an attacker can employ a privileged account allowing remote access to the array.

10.0 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

FlashArray:

  • Purity//FA 5.3.17 - 5.3.21
  • Purity//FA 6.0.7 - 6.0.9
  • Purity//FA 6.1.8 - 6.1.25
  • Purity//FA 6.2.0 - 6.2.17
  • Purity//FA 6.3.0 - 6.3.14
  • Purity//FA 6.4.0 - 6.4.10
  • Purity//FA 6.5.0

FlashBlade is not affected.

CVE-2024-0003

A condition exists in FlashArray Purity whereby a malicious user could use a remote administrative service to create an account on the array allowing privileged access.

9.1 (Critical)

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

FlashArray:

  • Purity//FA 5.3.17 - 5.3.21
  • Purity//FA 6.0.7 - 6.0.9
  • Purity//FA 6.1.8 - 6.1.25
  • Purity//FA 6.2.0 - 6.2.17
  • Purity//FA 6.3.0 - 6.3.14
  • Purity//FA 6.4.0 - 6.4.10
  • Purity//FA 6.5.0

FlashBlade is not affected.

CVE-2024-0004

A condition exists in FlashArray Purity whereby an user with array admin role can execute arbitrary commands remotely to escalate privilege on the array.

9.1 (Critical)

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

FlashArray:

  • Purity//FA 5.0.0 - 5.0.11
  • Purity//FA 5.1.0 - 5.1.17
  • Purity//FA 5.2.0 - 5.2.7
  • Purity//FA 5.3.0 - 5.3.21
  • Purity//FA 6.0.0 - 6.0.9
  • Purity//FA 6.1.0 - 6.1.25
  • Purity//FA 6.2.0 - 6.2.17
  • Purity//FA 6.3.0 - 6.3.14
  • Purity//FA 6.4.0 - 6.4.10
  • Purity//FA 6.5.0

FlashBlade is not affected.

CVE-2024-0005

A condition exists in FlashArray and FlashBlade Purity whereby a malicious user could execute arbitrary commands remotely through a specifically crafted SNMP configuration.

9.1 (Critical)

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

FlashArray:

  • Purity//FA 5.0.0 - 5.0.11
  • Purity//FA 5.1.0 - 5.1.17
  • Purity//FA 5.2.0 - 5.2.7
  • Purity//FA 5.3.0 - 5.3.21
  • Purity//FA 6.0.0 - 6.0.9
  • Purity//FA 6.1.0 - 6.1.25
  • Purity//FA 6.2.0 - 6.2.17
  • Purity//FA 6.3.0 - 6.3.14
  • Purity//FA 6.4.0 - 6.4.10
  • Purity//FA 6.5.0 and 6.6.0

FlashBlade:

  • Purity//FB 3.0.0 - 3.0.9
  • Purity//FB 3.1.0 - 3.1.15
  • Purity//FB 3.2.0 - 3.2.10
  • Purity//FB 3.3.0 - 3.3.11
  • Purity//FB 4.0.0 - 4.0.6
  • Purity//FB 4.1.0 - 4.1.10
  • Purity//FB 4.2.0 - 4.2.3
  • Purity//FB 4.3.0 - 4.3.1

Corrective Action

Affected customers will need to apply a self-service patch bundle or upgrade their Purity to an unaffected Purity version.

The above stated issues affecting FlashArray //Purity are resolved in the following releases:

  • Purity//FA versions 6.3.15 or later

  • Purity//FA versions 6.5.1 or later

  • Purity//FA versions 6.6.1 or later

This above stated issue affecting FlashBlade //Purity is resolved in the following releases:

  • Purity//FB versions 4.1.11 or later

  • Purity//FB versions 4.3.2 or later

Note:

Remediation options:

  1. Apply a Pure1 online, self-service opt-in security patch bundle (preferred method).

  2. Purity upgrade to an unaffected Purity release.

For FlashArray, the patch bundle can be applied to Purity versions 6.1.x, 6.3.x, 6.4.x 6.5.0 and 6.6.0. Arrays running older Purity versions are required to upgrade to a fixed version of Purity listed below.The above stated issues affecting FlashArray Purity are resolved in the following minimum FlashArray Purity versions:

  • Purity//FA versions 6.3.15 or later

  • Purity//FA versions 6.5.1 or later

  • Purity//FA versions 6.6.1 or later

However, we recommend Purity//FA versions 6.3.15 or later, 6.5.2 or later or 6.6.1 or later.For FlashBlade, the patch can be applied to Purity versions equal to or later than 3.3.5, 4.1.x, 4.2.x and 4.3.x. Systems running older Purity versions are required to upgrade to a fixed version of Purity listed below.This above stated issue affecting FlashBlade Purity is resolved in the following minimum FlashBlade Purity:

  • Purity//FB versions 4.1.12 or later

  • Purity//FB versions 4.3.2 or later

However, we recommend Purity//FB versions 4.1.13 or later or 4.3.2 or later

Please see the below link for more information

Contacting Support

If you need assistance with this issue please call Technical Services at +1 866-244-7121. If calling from outside the US, please select from the list of phone numbers here: Contact Us.

Support Escalation - How To Escalate a Case

Please see Customer Escalation Procedures & Contact Pure Security for additional information.