Release Notes

Fabric OS v7.3.0c Release Notes v1.0 Page 52 of 52
Defect ID:
DEFECT000532108
Technical Severity:
Medium
Probability:
Medium
Product:
FOS
Technology:
Security
Reported In Release:
FOS6.4.3_dcb
Technology Area:
Security Vulnerability
Symptom:
Security vulnerability CVE-2014-3566 makes it easier for man-in-the-middle attackers to obtain
cleartext data via a padding-oracle attack,
Condition:
Following are the conditions that customers of Brocade SAN products could be exposed to this
vulnerability:
An end user must use a web browser to access the FOS WebTools interface or use other
HTTP clients such as Brocade Network Adviser to manage the switch.
A web browser or other HTTP client must support SSL protocol 3.0.
An intruder has to interject between an HTTP client and a SAN switch.
An intruder has to spend time monitoring the request-
response formats to gain knowledge of
the system operations. Total of 256 SSL 3.0 requests are required to decrypt one byte of HTTP
cookies.
Workaround:
End users should configure their web browsers or Brocade Network Advisor to disable SSLv3
support when accessing Brocade SAN switch. In addition, place your Brocade SAN switch and
other data center critical infrastructure behind firewall to disallow access from the Internet to
minimize potential exposure to the attacks documented in this advisory.