Issue Date: 8/30/2018
Title: Panzura Security Advisory PZOS-2018-001
Classification: High
Status: Closed
Affected Products: PZOS 7.2.X or above

Summary

FreeBSD Security Vulnerabilities CVE-2018-5390 and CVE-2018-3615/20/46.

Details

With 7.2.0.0, Panzura has moved from FreeBSD 10 to FreeBSD 12. With FreeBSD 12, 2 security vulnerabilities have been discovered. Although Panzura uses FreeBSD 12, their impact is very low.

With the security vulnerability, CVE-2018-5390, an attacker can maliciously modify the network stack to cause denial-of-service attack. With the security vulnerability, CVE-2018-3615/20/46, Processors utilizing speculative execution (pre-execute some instructions) may allow unauthorized disclosure of information in cache if an attacker has execution privileges to install and execute a binary.

With the Panzura filer deployed as an appliance behind a corporate firewall, an attacker would have to go through multiple levels of security before gaining access to the filer. For better security protection, Panzura has also released fixes for the two security vulnerabilities in the CloudFS 7.2.2 release.

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5390 (CVE-2018-5390) and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615 (CVE-2018-3615/20/46) for more details regarding these vulnerabilities.

A complete list of security advisories can be found here.