Document 375189

October 24, 2014
OpenSSL POODLE Vulnerability Assessment for Brocade
Revision 1.2
Vulnerabilities:
CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses
nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext
data via a padding-oracle attack, aka the "POODLE" issue.
Vulnerability Statement: Statement of vulnerability from OpenSSL.org
Summary: Select Brocade products use the OpenSSL package and may be impacted by this
vulnerability. Brocade is working to develop a comprehensive plan to address this issue in all vulnerable
products. This notice will be updated as more information becomes available. Where there are impacts
and fixes these will be published in product-specific TSBs.
Assessment of Vulnerability for Brocade Products
Product
Current status
Network Advisor
The following releases are impacted Network Advisor 12.0.x to 12.3.x and
Network Advisor 11.0.x to 11.3.x (If SSL is enabled) – see TSB 2014-201-A
Fabric OS
Impacted, see TSB 2014-203-A for details
Network OS
Not Impacted.
NetIron
Impacted.
FastIron
Impacted.
BigIron RX
Impacted.
ServerIron ADX
Impacted, see TSB 2014-202-A for details.
ServerIron JetCore
Impacted, see TSB 2014-202-A for details.
Virtual ADX
Impacted, see TSB 2014-202-A for details.
Vyatta vRouter
Impacted.
ARB
Under investigation.
ServerIron-XL
Under investigation.
IronView Network
Manager
Impacted
DCFM
All DCFM releases impacted if SSL enabled.
Brocade Mobility
Controllers
Under investigation.
Product
Current status
Brocade Mobility
Access Points
Under investigation.
Brocade’s IT Incident Response team is researching the public facing systems to determine impact and
then remediate accordingly.
Brocade Monitoring, Analytics, and Remote Troubleshooting Environment
 The Network components, i.e., firewall (affected), switching (under investigation by vendor), routing
(under investigation by vendor) and mgmt. platform (affected) are affected but not vulnerable from
outside attack. SSL connections are not through the FW to affected devices.
 Remote Access components: Secure File Transfer (SFT) (under investigation by vendor),
Authentication system (under investigation by vendor), Remote Access gateway (affected). SSLv3
and lower has been disabled on the Remote Access gateway, negating the POODLE attack. Our FW
does not allow SSL connectivity to the SFT and Authentication systems.
 The UNIX/LINUX operating systems were not vulnerable but we have are working with application
vendors whose products use OpenSSL to determine the risk. Our FW does not allow SSL connectivity
to NMS servers from external hosts.
Currently we are not known to be vulnerable to external attacks. Patches will be applied when provided
by vendors.
Disclaimer
THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES
AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES
OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE
INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED
HEREIN IS BASED ON BROCADE’S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE
VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS.
BROCADE
RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
Document Revision
1.0
1.1
1.2
Changes
First release
Updated NOS status; Removed USD-X which is no longer supported; Updated
Brocade IT and NMS response.
Updated information for FOS, SI and vADX
page 2