How to identify if a new Open Source Software vulnerability (CVE) affecting PAN-OS?

How to identify if a new Open Source Software vulnerability (CVE) affecting PAN-OS?

13131
Created On 07/01/22 05:39 AM - Last Modified 06/15/23 21:07 PM


Objective


PAN-OS includes some OSS libraries, and New CVEs ( or vulnerable OSS ) are published frequently. This article helps to identify if vulnerable OSS is being used on PAN-OS releases and if the CVEs are directly affecting PAN-OS. 

Environment


  • All PAN product 
  • All PAN OS
  • OSS libraries (Open Source Software)

Procedure


PaloAlto Network products' software includes some open-source software libraries. The following procedure will help you identify if the newly published CVE affects the PAN-OS.

1. Identify the current PAN-OS version by using CLI command "show system info" 
admin@Lab196-97-PA-VM> show system info
hostname: ...
......
sw-version: 10.0.0
.....
 
 
2. Palo Alto Networks published the affected, unaffected PAN-OS versions as per CVE at security advisories. Third party OSS used can be found here. These lists are the first place to check if your PAN-OS version is affected.
  • The PAN-OS version is safe if 3rd party software (OSS) is not used.
  • The PAN-OS version is also safe if 3rd party software (OSS) used is of different version. Refer example in the additional information section.
  • If your PAN-OS version is affected by CVE, follow the steps on security advisories. Search for more information on live communities, blogs, KB articles, or external links such as https://nvd.nist.gov/.
  • If satisfactory answer is not found, open a support case.
Example of a CVE in the Security Advisory URL:
Security Advisory
 

Additional Information


PAN-OS is can be still unaffected even the vulnerable 3rd party OSS is used, but the version is the safe one. Here is an example in PAN-OS 10.0 OSS listing.
 
  • Looking at vulnerability CVE-2022-26377 [ possible request smuggling]  the vulnerable Apache HTTP server version should be equal or less 2.4.53.
  • A List of third party software used by Palo Alto networks for different PAN-OS versions can be found here
  • From the list,  Apache HTTP Server version 2.4.6 is used in PAN-OS 10.0.x. and so this software is not vulnerable.
Apache version
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqJUCA0&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language