October 24, 2014 OpenSSL POODLE Vulnerability Assessment for Brocade Revision 1.2 Vulnerabilities: CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. Vulnerability Statement: Statement of vulnerability from OpenSSL.org Summary: Select Brocade products use the OpenSSL package and may be impacted by this vulnerability. Brocade is working to develop a comprehensive plan to address this issue in all vulnerable products. This notice will be updated as more information becomes available. Where there are impacts and fixes these will be published in product-specific TSBs. Assessment of Vulnerability for Brocade Products Product Current status Network Advisor The following releases are impacted Network Advisor 12.0.x to 12.3.x and Network Advisor 11.0.x to 11.3.x (If SSL is enabled) – see TSB 2014-201-A Fabric OS Impacted, see TSB 2014-203-A for details Network OS Not Impacted. NetIron Impacted. FastIron Impacted. BigIron RX Impacted. ServerIron ADX Impacted, see TSB 2014-202-A for details. ServerIron JetCore Impacted, see TSB 2014-202-A for details. Virtual ADX Impacted, see TSB 2014-202-A for details. Vyatta vRouter Impacted. ARB Under investigation. ServerIron-XL Under investigation. IronView Network Manager Impacted DCFM All DCFM releases impacted if SSL enabled. Brocade Mobility Controllers Under investigation. Product Current status Brocade Mobility Access Points Under investigation. Brocade’s IT Incident Response team is researching the public facing systems to determine impact and then remediate accordingly. Brocade Monitoring, Analytics, and Remote Troubleshooting Environment  The Network components, i.e., firewall (affected), switching (under investigation by vendor), routing (under investigation by vendor) and mgmt. platform (affected) are affected but not vulnerable from outside attack. SSL connections are not through the FW to affected devices.  Remote Access components: Secure File Transfer (SFT) (under investigation by vendor), Authentication system (under investigation by vendor), Remote Access gateway (affected). SSLv3 and lower has been disabled on the Remote Access gateway, negating the POODLE attack. Our FW does not allow SSL connectivity to the SFT and Authentication systems.  The UNIX/LINUX operating systems were not vulnerable but we have are working with application vendors whose products use OpenSSL to determine the risk. Our FW does not allow SSL connectivity to NMS servers from external hosts. Currently we are not known to be vulnerable to external attacks. Patches will be applied when provided by vendors. Disclaimer THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE’S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Document Revision 1.0 1.1 1.2 Changes First release Updated NOS status; Removed USD-X which is no longer supported; Updated Brocade IT and NMS response. Updated information for FOS, SI and vADX page 2