1. Knowledge Base
  2. Security Advisories

PZOS-2014-005: SSL is vulnerable to man-in-the-middle attack, AKA “POODLE”

Issue Date: 2014/10/27
Updated Date: 2015/02/25
Title: SSL is vulnerable to man-in-the-middle attack, AKA “POODLE”
Classification: Medium
Status: Closed
Affected Products: PZOS and earlier


The NIST National Cyber Awareness System announced a vulnerability discovered in the SSL protocol 3.0. Additional information is available in CVE-2014-3566 available here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566


As noted at the above URL:

“The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue.”

Panzura technical staff has conducted a thorough review of the PZOS code base and concluded Panzura Cloud Controllers are susceptible to this vulnerability because we support SSL version 3 for both our WebUI management interface and to transport traffic through our Cloud Connectors. A fix has been developed, is undergoing QA, and should be available in an upcoming software release within the next 6 weeks.


Upgrade the Panzura software to PZOS version or higher; any future major or minor releases will also correct the issue. Release notes for this version will outline details as necessary for this correction.