| Issue Date: | 2018/08/30 |
| Updated Date: | 2018/08/30 |
| Title: | FreeBSD Security Vulnerabilities |
| Classification: | High |
| Status: | Closed |
| Affected Products: | CloudFS 7.2.0, 7.2.1 |
Summary
FreeBSD Security Vulnerabilities CVE-2018-5390 and CVE-2018-3615/20/46.
Details
With 7.2.0.0, Panzura has moved from FreeBSD 10 to FreeBSD 12. With FreeBSD 12, 2 security vulnerabilities have been discovered, though their impact is low.
With the security vulnerability, CVE-2018-5390, an attacker can maliciously modify the network stack to cause denial-of-service attack. With the security vulnerability, CVE-2018-3615/20/46, Processors utilizing speculative execution (pre-execute some instructions) may allow unauthorized disclosure of information in cache if an attacker has execution privileges to install and execute a binary.
With the Panzura node deployed as an appliance behind a corporate firewall, an attacker would have to go through multiple levels of security before gaining access to the node.
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5390 (CVE-2018-5390) and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615 (CVE-2018-3615/20/46) for more details regarding these vulnerabilities.
Resolution
Panzura has addressed the two security vulnerabilities in the CloudFS 7.2.2 release.