SpringShell or Spring4Shell CVE-2022-22965

Security Bulletins

Audience
Public
Product
FlashBlade
FlashArray
FlashBlade > Purity//FB
FlashArray > Purity//FA
Portworx
Source Type
Documentation

Please contact psirt@purestorage.com or via Slack #psirt-request with any questions or concerns.

Summary

CVE-2022-22965, also known as "SpringShell" or "Spring4Shell", describes a weakness in the Spring Framework that may make possible remote code execution on a vulnerable system. Multiple additional conditions must be true for the weakness to become a vulnerability. The Everpure PSIRT calculated a CVSS Base score of 8.1 High (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Corrective Action

No corrective action is required for any Everpure products.

Everpure has confirmed that Pure1 was vulnerable to CVE-2022-22965, but WAF rules mitigated against exploitation. Pure1 was promptly remediated and is now fixed, but the WAF rules remain in place as an additional layer of protection.

No other Everpure product is affected by CVE-2022-22965.

Note: Vulnerability scanner findings that state Pure products are vulnerable should be considered a false positive. The likely cause of the false positive is the proof-of-concept script used for detection. We believe the script attempts to upload a JSP file (e.g example.jsp) and check for an HTTP 200 OK when accessing example.jsp. While our system does return a 200 response, manual testing confirmed that the response content is our login page—consistent with our behavior of redirecting unauthenticated requests to login, which still returns a 200 status. This behavior does not indicate execution of the JSP file, and no evidence of vulnerability or exploitation was found.

Product

Evaluated Version

Impact/Status

FlashArray

Purity//FA 6.2.x

Not affected

FlashArray

Purity//FA 6.1.x

Not affected

FlashArray

Purity//FA 6.0.x

Not affected

FlashArray

Purity//FA 5.3.x

Not affected

Everpure Cloud Dedicated

6.1.xPAZ

Not affected

Everpure Cloud Dedicated

6.1.xPAWS

Not affected

Everpure Cloud Dedicated

6.2.xPAZ

Not affected

Everpure Cloud Dedicated

6.2.xPAWS

Not affected

FlashBlade

Purity//FB 3.0.x (EOL)

Not affected

FlashBlade

Purity//FB 3.1.x

Not affected

FlashBlade

Purity//FB 3.2.x

Not affected

FlashBlade

Purity//FB 3.3.x

Not affected

Portworx

N/A

Not affected

Pure Services Orchestrator (PSO)

N/A

Not affected

Pure1

N/A

Fixed

Pure1 Mobile Apps

N/A

Not affected

VM Analytics Collector

3.1.8

Not affected

Virtual Appliance (OVA)

3.4.0

Not affected

Active Cluster On-Premises Mediator

N/A

Not affected

General Mitigation Best Practices

Everpure recommends following network security best practices that minimize the risk of compromise:

  • Restrict management interfaces to a trusted set of networks. Please see Use ONLY Non-Public IP Addresses for Management Connectivity. Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).

  • Restrict outbound Internet access to trusted destinations. Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 52.40.255.224/27 for outbound traffic. A firewall will need to permit inbound traffic for the established connection.

  • Everpure strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to management interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.

  • Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator.

  • Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns.

Contacting Support

If you would like one of our engineers to assist you with this issue please call +1 866-244-7121. If calling from outside the US here is a list of phone numbers: Contact Us.

Support Escalation - How To Escalate a Case

Please see the Customer Escalation Procedures and Contact Pure Security pages for additional information.

Thank you,

Everpure Global Technical Services