Product Specific Resources
For current remediation status refer to FlashArray ATOM Dashboard and FlashBlade ALOHA Dashboard
Summary
Everpure has identified multiple security vulnerabilities affecting both FlashArray™ and FlashBlade® Purity releases.
|
CVE |
Description |
CVSS Score |
First Found (Affected versions) |
|---|---|---|---|
|
CVE-2024-0001 |
A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated privileges. |
10.0 (Critical) |
FlashArray:
FlashBlade is not affected. |
|
CVE-2024-0002 |
A condition exists in FlashArray Purity whereby an attacker can employ a privileged account allowing remote access to the array. |
10.0 (Critical) |
FlashArray:
FlashBlade is not affected. |
|
CVE-2024-0003 |
A condition exists in FlashArray Purity whereby a malicious user could use a remote administrative service to create an account on the array allowing privileged access. |
9.1 (Critical) |
FlashArray:
FlashBlade is not affected. |
|
CVE-2024-0004 |
A condition exists in FlashArray Purity whereby an user with array admin role can execute arbitrary commands remotely to escalate privilege on the array. |
9.1 (Critical) |
FlashArray:
FlashBlade is not affected. |
|
CVE-2024-0005 |
A condition exists in FlashArray and FlashBlade Purity whereby a malicious user could execute arbitrary commands remotely through a specifically crafted SNMP configuration. |
9.1 (Critical) |
FlashArray:
FlashBlade:
|
Corrective Action
Affected customers will need to apply a self-service patch bundle or upgrade their Purity to an unaffected Purity version.
The above stated issues affecting FlashArray //Purity are resolved in the following releases:
-
Purity//FA versions 6.3.15 or later
-
Purity//FA versions 6.5.1 or later
-
Purity//FA versions 6.6.1 or later
This above stated issue affecting FlashBlade //Purity is resolved in the following releases:
-
Purity//FB versions 4.1.11 or later
-
Purity//FB versions 4.3.2 or later
Remediation options:
-
Apply a Pure1 online, self-service opt-in security patch bundle (preferred method).
-
Follow steps here for FlashArray.
-
Follow steps KB - FB Security Patch January 2024 (security-patch-fb-2024-01-15) for FlashBlade.
-
Please be aware that this security patch (security-patch-fb-2024-01-15) also includes a FlashBlade patch from last year (security-patch-fb-2023-09-25), and will be applied if not previously applied. For information on the prior patch, please refer to FlashBlade Authentication Mechanism Vulnerability CVE-2023-4976.
-
-
Purity upgrade to an unaffected Purity release.
For FlashArray, the patch bundle can be applied to Purity versions 6.1.x, 6.3.x, 6.4.x 6.5.0 and 6.6.0. Arrays running older Purity versions are required to upgrade to a fixed version of Purity listed below.The above stated issues affecting FlashArray Purity are resolved in the following minimum FlashArray Purity versions:
-
Purity//FA versions 6.3.15 or later
-
Purity//FA versions 6.5.1 or later
-
Purity//FA versions 6.6.1 or later
However, we recommend Purity//FA versions 6.3.15 or later, 6.5.2 or later or 6.6.1 or later.For FlashBlade, the patch can be applied to Purity versions equal to or later than 3.3.5, 4.1.x, 4.2.x and 4.3.x. Systems running older Purity versions are required to upgrade to a fixed version of Purity listed below.This above stated issue affecting FlashBlade Purity is resolved in the following minimum FlashBlade Purity:
-
Purity//FB versions 4.1.12 or later
-
Purity//FB versions 4.3.2 or later
However, we recommend Purity//FB versions 4.1.13 or later or 4.3.2 or later
Please see the below link for more information
Contacting Support
If you need assistance with this issue please call Technical Services at +1 866-244-7121. If calling from outside the US, please select from the list of phone numbers here: Contact Us.
Support Escalation - How To Escalate a Case
Please see Customer Escalation Procedures & Contact Pure Security for additional information.