|Title:||SSL is vulnerable to man-in-the-middle attack, AKA “POODLE”|
|Affected Products:||PZOS 220.127.116.11 and earlier|
The NIST National Cyber Awareness System announced a vulnerability discovered in the SSL protocol 3.0. Additional information is available in CVE-2014-3566 available here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
As noted at the above URL:
“The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue.”
Panzura technical staff has conducted a thorough review of the PZOS code base and concluded Panzura Cloud Controllers are susceptible to this vulnerability because we support SSL version 3 for both our WebUI management interface and to transport traffic through our Cloud Connectors. A fix has been developed, is undergoing QA, and should be available in an upcoming software release within the next 6 weeks.
Upgrade the Panzura software to PZOS version 18.104.22.168 or higher; any future major or minor releases will also correct the issue. Release notes for this version will outline details as necessary for this correction.