FlashArray DOS Vulnerability

Security Bulletins

Audience
Public
Product
FlashBlade
FlashArray
FlashBlade > Purity//FB
FlashArray > Purity//FA
Portworx
Source Type
Documentation

Please contact psirt@purestorage.com or via Slack #psirt-request with any questions or concerns.

Note:

For current remediation status refer to ATOM Dashboard.

Summary

Improper input validation performed during the authentication process of FlashArray could lead to a system "Denial of Service”.

CVE Base CVSS 4.0 Score Severity Vector
CVE-2025-0051 8.7 High CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
The impacted Purity versions are:
  • Purity//FA 5.0.0 - 5.0.11 (EOL)

  • Purity//FA 5.1.1 - 5.1.17 (EOL)

  • Purity//FA 5.2.0 - 5.2.7 (EOL)

  • Purity//FA 5.3.0 - 5.3.21 (EOL)

  • Purity//FA 6.0.0 - 6.0.9 (EOL)

  • Purity//FA 6.1.0 - 6.1.25 (EOL)

  • Purity//FA 6.2.0 - 6.2.17 (EOL)

  • Purity//FA 6.3.0 - 6.3.20

  • Purity//FA 6.4.0 - 6.4.10 (EOL)

  • Purity//FA 6.5.0 - 6.5.9

  • Purity//FA 6.6.0 - 6.6.11

  • Purity//FA 6.7.0 - 6.7.1

  • Purity//FA 6.8.0 - 6.8.2

This includes Cloud Block Store (CBS) arrays running the above vulnerable versions.

Note: If you are on an EOL Purity version, we highly recommend upgrading to a supported version to remediate this vulnerability.

Corrective Action

Affected customers will need to apply a self-service patch or upgrade their Purity to an unaffected Purity version.

The above vulnerability (CVE-2025-0051) is resolved in the following FlashArray //Purity versions:
  • Purity//FA 6.5.10 or later

  • Purity//FA 6.7.2 or later

  • Purity//FA 6.8.3 or later

Customers on End-Of-Life (EOL) Purity versions are highly encouraged to upgrade to a supported version which contains the above fix.

FA Purity 6.5.10 will be released around March 11, 2025.

Mitigating Controls/Corrective Action

Follow network security best practices
  • Restrict array access to only trusted users. Everpure strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to management interfaces
  • Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator

  • Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns

Contacting Support

If you need assistance with this issue, please call Technical Services at +1 866-244-7121. If calling from outside the US, please select from the list of phone numbers here: Contact Us.

Note: Remediation options:
  1. Apply a Pure1 online, self-service opt-in security patch bundle (preferred method).
  2. Purity upgrade to an unaffected Purity release.

For FlashArray, the patch bundle can be applied to Purity versions 6.3.x, 6.5.x, 6.6.x, 6.7.x, and 6.8.x. Arrays running older Purity versions are required to upgrade to a fixed version of Purity listed below.The above stated issues affecting FlashArray Purity are resolved in the following minimum FlashArray Purity versions:
  • Purity//FA 6.5.10 or later

  • Purity//FA 6.7.2 or later

  • Purity//FA 6.8.3 or later

Support Escalation - How To Escalate a C+ase

Please see Customer Escalation Procedures & Contact Pure Security for additional information.