Panzura Security Advisory PZOS-2014-002
|Title:||OpenSSL SSL/TLS Man In The Middle Vulnerability Review|
|Affected Products:||PZOS – All Supported Versions 184.108.40.206 or Below|
The OpenSSL Project announced a Security Advisory on June 05, 2014 regarding a critical MITM (Man In The Middle) vulnerability in version 1.0.1 through version 1.0.2-beta1 (CVE-2014-0224 – https://www.openssl.org/news/secadv_20140407.txt)
A MITM attacker can craft a handshake between a client and server with a weak key material leading to the ability of the attacker to intercept traffic.
Panzura will be upgrading the PZOS to protect against this. Public cloud vendors are addressing this on their side. Amazon has published documentation that this is not a vulnerability on their side. This exposure is only present if both sides of a connection are exposed. So, the risk is low but Panzura will be patching their software with an upgrade to the OpenSSL version to eliminate the exposure in an upcoming release.
Upgrade the Panzura software to PZOS version 220.127.116.11 or higher; any future major or minor releases will also correct the issue. Release notes for this version will outline details as necessary for this correction.