PZOS-2016-001: DROWN vulnerability

Issue Date: 2016/03/31
Updated Date: 2016/03/31
Title: DROWN vulnerability. The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a “DROWN” attack
Classification: Medium
Status: Closed
Affected Products: PZOS 5.6.x.x or Below

Summary

Excerpt from https://drownattack.com, “DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.”

Details

Additional information is available in CVE-2016-0800 available here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800

Resolution

Panzura technical staff has conducted a thorough review of the PZOS code base going back many releases. The review shows no exposure to the issue in releases since 6.0.0.0. Customers are advised to upgrade their Cloud Controllers to at least this release to protect against this issue.