Log4j/Log4Shell CVE-2021-44228

Security Bulletins

Audience
Public
Product
FlashBlade
FlashArray
FlashBlade > Purity//FB
FlashArray > Purity//FA
Portworx
Source Type
Documentation

This is a final statement and will be updated as necessary and included in the Pure Community Page. Multiple CVEs are addressed in this document related to Log4j / Log4Shell.

Please contact psirt@purestorage.com or via Slack #psirt-request with any questions.

CVE-2021-44228

On December 9, 2021, a critical 0-day vulnerability impacting multiple versions of the popular Apache Log4j 2 logging library was publicly disclosed (“vulnerability”). The vulnerability, if exploited, may result in Remote Code Execution (RCE) by logging a certain string on affected installations.

This vulnerability is being tracked as CVE-2021-44228. As stated in the CVE, “Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.” Applications that are remotely accessible, can handle user-input and use Log4j (version lower than 2.15.0) to log this input are potentially vulnerable. The CVE also states the following:

Note:

Apache Log4j versions prior to 2.15.0 are susceptible to a vulnerability that when successfully exploited could allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

CVSS Base Scores

Product

CVSS Base Score

FlashArray

9.6 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Cloud Block Store

9.6 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

FlashBlade

8.4 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Portworx

7.6 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

General Mitigation Best Practices

Everpure recommends following network security best practices that minimize the risk of compromise due to this vulnerability including, but not limited to:

  • Restrict management interfaces to a trusted set of networks. Please see Use ONLY Non-Public IP Addresses for Management Connectivity. Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).
  • Restrict outbound Internet access to trusted destinations. Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 52.40.255.224/27 only for outbound traffic and your firewall will need to accept inbound traffic for the established connection.
  • Everpure strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to administrative login interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.
  • Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator.
  • Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns.

Affected Versions

Product

Affected Version(s)

FlashArray

  • Purity//FA 6.2.0 - 6.2.3
  • Purity//FA 6.1.0 - 6.1.12
  • Purity//FA 6.0.0 - 6.0.8
  • Purity//FA 5.3.0 - 5.3.17
  • Purity//FA 5.2.x and all prior releases.

FlashBlade

  • Purity//FB 3.3.0
  • Purity//FB 3.2.0 - 3.2.4
  • Purity//FB 3.1.0 - 3.1.11
  • Purity//FB 3.0.x and all prior releases

Cloud Block Store

  • Purity//CBS 6.2.1 and all prior releases

Portworx

  • Portworx versions affected: 2.8.0+ (purestorage/ccm-service:3.0.0-rc1-3.0.6).
  • If you have not enabled telemetry in your Portworx cluster you are not at risk for this vulnerability.

Everpure Orchestrator (PSO)

Everpure Orchestrator (PSO) is NOT affected by CVE-2021-44228, CVE-2021-45406, CVE-2021-45105.

Everpure ActiveCluster On-Premises Mediator

Everpure ActiveCluster On-Premises Mediator is NOT affected by CVE-2021-44228, CVE-2021-45406, CVE-2021-45105

Fixed Versions & Mitigation Options

he following fixes are now available.

Product

Type

Version

Note

FlashArray

Self-Service Patch

Recommended Option

  • Purity//FA 6.2.x
  • Purity//FA 6.1.x
  • Purity//FA 6.0.x
  • Purity//FA 5.3.x

Online non-disruptive patch to address the Log4j vulnerability delivered via Pure1.

See Resolving FlashArray Log4j/Log4Shell CVE-2021-44228 for more details.

FlashArray

Manual Patch

  • Purity//FA 6.2.x
  • Purity//FA 6.1.x
  • Purity//FA 6.0.x
  • Purity//FA 5.3.x
  • Purity//FA 5.2.x
  • Purity//FA 5.1.x
  • Purity//FA 5.0.x

Online, non-disruptive patch to address the Log4j vulnerability, administered by Everpure Global Technical Services.

FlashArray

Purity Upgrade

All

Upgrades to the following versions of Purity//FA contain a permanent fix for Log4j:

Cloud Block Store

Purity Upgrade

All

Upgrades to the following versions contain a permanent fix for Log4j:
  • Purity//CBS 6.2.4PAWS
  • Purity//CBS 6.2.4PAZ
  • Purity//CBS 6.1.13PAWS
  • Purity//CBS 6.1.13PAZ

See Resolving Cloud Block Store Log4j/Log4Shell CVE-2021-44228 for more details.

FlashBlade

Self-Service Patch

Recommended Option

  • Purity//FB 3.3.x
  • Purity//FB 3.2.x
  • Purity//FB 3.1.x
  • Purity//FB 3.0.x

Online, non-disruptive patch to address the Log4j vulnerability delivered via Pure1.

See Resolving FlashBlade Log4j/Log4Shell CVE-2021-44228 for more details.

FlashBlade

Manual Patch

  • Purity//FB 3.3.x
  • Purity//FB 3.2.x
  • Purity//FB 3.1.x
  • Purity//FB 3.0.x

Online, non-disruptive patch to address the Log4j vulnerability, administered by Everpure Global Technical Services.

FlashBlade

Purity Upgrade

All

Upgrades to the following versions of Purity//FB contain a permanent fix for Log4j:

Portworx

CCM Service Upgrade

 

Portworx CCM container release incorporating Apache Log4j v2.16.0 (fixes in ccm-service:3.0.8)

See Resolving Portworx Log4j/Log4Shell CVE-2021-44228 for more details.

Pure VM Analytics OVA Collector

Upgrade

 

VMA collector v3.1.4 with the fixes is now available. Please refer to Upgrading Collectors for additional details.

Pure1

N/A

N/A

Pure1 infrastructure has been successfully updated with the appropriate fixes.

Apache Log4j 2.17.1

Details

On December 28, 2021, Apache announced that Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. Also see https://logging.apache.org/log4j/2.x/

Mitigation

Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later)

Why This is Important

Everpure has confirmed that beyond our immediate Purity Upgrade and Manual/Self Service Opt-In Patch provisioning, Pure products are not affected by any of the subsequent Apache Log4j vulnerabilities published after Log4j version 2.15.0 (CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228).

However, we acknowledge that our customers have requirements based on scanning for package dependencies to identify the presence of at-risk Apache Log4j versions known to contain possibly-vulnerable software. In other words, our product may already be remediated for the vulnerability, but customers' information security teams and IT auditors want the reassurance of knowing that no instance of the vulnerable software remains on the deployed product.

The following table explains which Pure software releases contain Apache Log4j version 2.17.1 (or later):

Product

Software Version

Availability

Comment

FlashBlade

3.0 and prior

N/A

No plans to integrate Apache Log4j 2.17.1 in //FB Purity 3.0.x

3.1

2022-03-09

3.1.13 includes Apache Log4j 2.17.1

3.2

2022-03-30

3.2.7 will include Apache Log4j 2.17.1 (expected on or before 2022-03-30)

3.3

2022-03-09

3.3.2 includes Apache Log4j 2.17.1

FlashArray

5.1 and prior

N/A

No plans to integrate Apache Log4j 2.17.1 in //FA Purity 5.1.x

5.2

N/A

No plans to integrate Apache Log4j 2.17.1 in //FA Purity 5.2.x

5.3

2022-03-01

5.3.20 includes Apache Log4j 2.17.1

6.0

N/A

6.0.x branch is EOL - Target to integrate Apache Log4j 2.17.1 is TBD

6.1

2022-03-15

6.1.15 includes Apache Log4j 2.17.1

6.2

2022-03-15

6.2.7 includes Apache Log4j 2.17.1

6.3

2022-03-31

6.3.1 includes Apache Log4j 2.17.1 (expected 2022-03-31)

Portworx

1.8.0

2022-03-01

CCM v3.1.0 contains Apache Log4j version 2.17.1

Pure1

In Compliance

2022-02-15

DX was remediated for the Log4Shell CVEs on 2022-01-03; the Base AMI includes Apache Log4j 2.17.1 as of 2022-02-15

Pure On-Premises Mediator

N/A

N/A

Does not use Apache Log4j

Pure OVA

N/A

N/A

Does not use Apache Log4j

Pure VMA Collector

3.1.8

2022-02-16

3.1.8 includes Apache Log4j 2.17.1

Pure Services Orchestrator (PSO)

N/A

N/A

Does not use Apache Log4j

CVE-2021-45046

On Tuesday 14 December, 2021, CVE-2021-45046 was released. It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

Everpure has completed evaluating implications of CVE-2021-45046 against all products.

  • FlashBlade, FlashArray, Cloud Block Store are not affected by CVE-2021-45046.
  • Portworx: Portworx is not affected by CVE-2021-45046. However, Portworx CCM container release incorporating Apache Log4j v2.16.0 fixes in ccm-service:3.0.8 is now available.
  • Pure VM Analytics OVA Collector: VMA collector (v3.1.4) is now GA. New VM Analytics Collector OVA installations and upgrades will automatically receive VMA collector v3.1.4 which includes CCM v1.8.6 incorporating Apache Log4j v2.16.0 - Pure1 VM Analytics Requirements Pure1 Manage - Virtual Machines (VM Analytics) (NOTE: 3.3.1 is the common OVA version. Once installed, it will download the VMA collector version 3.1.4).

CVE-2021-45105

Everpure is aware of the Apache Security Vulnerability CVE-2021-45105 posted Saturday, 18-DEC-2021. Everpure has assessed all Pure product families against this vulnerability. FlashArray, FlashBlade, Cloud Block Store, Portworx, Pure1, and VM Analytics Collector are not affected by this vulnerability.

CVE-2021-44832

Everpure is aware of the Apache Security Vulnerability CVE-2021-44832 posted Monday, 27-DEC-2021. Everpure has assessed all Pure product families against this vulnerability. FlashArray, FlashBlade, Cloud Block Store, Portworx, Pure1, and VM Analytics Collector are not affected by this vulnerability.

Contacting Support

If you would like one of our engineers to assist you with this issue please call +1(866) 244-7121. If calling from outside the US here is a list of phone numbers: Contact Us.

This is a final statement and will only be updated if necessary. Please refer back to this page to receive updates. On December 9, 2021, a critical 0-day vulnerability impacting multiple versions of the popular Apache Log4j 2 logging library was publicly disclosed (“vulnerability”). The vulnerability, CVE-2021-44228, may result in Remote Code Execution (RCE) by logging a certain string on affected installations. Three additional Apache Log4j vulnerabilities followed the initial announcement: CV