Panzura Security Advisory PZOS-2014-002

Issue Date: 06/05/2014
Updated Date: 06/20/2014
Title: OpenSSL SSL/TLS Man In The Middle Vulnerability Review
Classification: Moderate
Status: Closed
Affected Products: PZOS – All Supported Versions 5.4.3.3 or Below

Summary

The OpenSSL Project announced a Security Advisory on June 05, 2014 regarding a critical MITM (Man In The Middle) vulnerability in version 1.0.1 through version 1.0.2-beta1 (CVE-2014-0224 – https://www.openssl.org/news/secadv_20140407.txt)

Details

A MITM attacker can craft a handshake between a client and server with a weak key material leading to the ability of the attacker to intercept traffic.

Panzura will be upgrading the PZOS to protect against this. Public cloud vendors are addressing this on their side. Amazon has published documentation that this is not a vulnerability on their side. This exposure is only present if both sides of a connection are exposed. So, the risk is low but Panzura will be patching their software with an upgrade to the OpenSSL version to eliminate the exposure in an upcoming release.

Resolution

Upgrade the Panzura software to PZOS version 5.5.0.6 or higher; any future major or minor releases will also correct the issue. Release notes for this version will outline details as necessary for this correction.

Back to Advisories List