[Update] FlashArray and Heartbleed bug



Heartbleed bug (CVE-2014-0160) is a vulnerability in OpenSSL library that can compromise secret keys used to encrypt the data, including names and password of the users. Certain versions of OpenSSL are effected by this bug. More information about HeartBleed bug is available at: http://heartbleed.com

FlashArray Vulnerability:

FlashArrays running Purity OE 3.3.x do not use the OpenSSL versions that are affected by Heartbleed vulnerability. Also, Purity OE 3.4.0 command-line interface (CLI) uses secure shell (SSH), which is not impacted by the bug.

FlashArrays running Purity use OpenSSL for web-based management interface and RESTful API. The OpenSSL version used in Purity 3.4.0 was vulnerable to the Heartbleed security bug. OpenSSL has been updated to a version that is not affected by the Heartbleed bug.  All customers running 3.4.0, we would recommend reaching our to your local account team and/or contact our uber awesome support team and have them upgrade Purity Operating Environment to 3.4.2 which removes any potential vulnerability to the Heartbleed bug.  This is a very quick and non-disruptive operation to your applications with zero performance degradation.

Note: Purity 3.3.X or any prior releases are not vulnerable to the Heartbleed bug.

Pure Storage’s CloudAssist servers were upgraded to a patched version of OpenSSL that is not vulnerable to Heartbleed. The FlashArray communicates to CloudAssist through SSH or SSH over an HTTP(S) proxy which uses OpenSSL. SSH is not affected by the Heartbleed vulnerability. SSH over HTTPS is also secure because CloudAssist uses a patched version of OpenSSL.

Hope this helps to show how responsive we are to industry security vulnerabilities.  We appreciate your business.

Keeping things Pure, Orange, Secure, and Awesome!

Leave a Reply