Panzura Security Advisory PZOS-2016-001
|Title:||DROWN vulnerability. The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a “DROWN” attack|
|Affected Products:||PZOS 5.6.x.x or Below|
Excerpt from https://drownattack.com, “DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.”
Additional information is available in CVE-2016-0800 available here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800
As noted at the above URL:
Panzura technical staff has conducted a thorough review of the PZOS code base going back many releases. The review shows no exposure to the issue in releases since 220.127.116.11 (released approximately one year ago). Customers are advised to upgrade their Cloud Controllers to at least this release (18.104.22.168 is current today) to protect against this issue.