Panzura Security Advisory PZOS-2016-001

Issue Date: 03/31/2016
Title: DROWN vulnerability. The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a “DROWN” attack
Classification: Medium
Status: Open
Affected Products: PZOS 5.6.x.x or Below

Summary

Excerpt from https://drownattack.com, “DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.”

Additional information is available in CVE-2016-0800 available here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800

Details

As noted at the above URL:

Panzura technical staff has conducted a thorough review of the PZOS code base going back many releases. The review shows no exposure to the issue in releases since 6.0.0.0 (released approximately one year ago). Customers are advised to upgrade their Cloud Controllers to at least this release (6.1.0.4 is current today) to protect against this issue.

Back to Advisories List