OpenSSL 3.0 Vulnerabilities CVE-2022-3786 and CVE-2022-3602
11669
Created On 11/01/22 19:47 PM - Last Modified 04/22/24 07:17 AM
Question
Are Palo Alto Networks devices or software vulnerable to the OpenSSL vulnerability published with CVE-2022-3786-and-CVE-2022-3602?
Environment
Palo Alto Networks firewalls and cloud services.
Answer
Palo Alto Networks would like to inform you about two high-severity vulnerabilities, CVE-2022-3786 and CVE-2022-3602, that were recently published by the OpenSSL Project. These vulnerabilities impact OpenSSL versions 3.0.0 through 3.0.6 and were disclosed on November 1st, 2022.
Palo Alto Networks Systems and Software Vulnerabilities
Palo Alto Networks has conducted a comprehensive evaluation of its products and has confirmed that none of its assets appear to be vulnerable.The vulnerabilities, identified as CVE-2022-3602 and CVE-2022-3786, affect OpenSSL version 3.0.0 and later and have been resolved in the latest version, OpenSSL 3.0.7. Palo Alto Networks is utilizing portions of OpenSSL 1.0.1, which are not impacted by these vulnerabilities.
This may be confirmed by referring to our Security Advisory page, https://security.paloaltonetworks.com/PAN-SA-2022-0006.
Vulnerability / IPS Signatures
Palo Alto Networks has released a Unique Threat ID of 93212 (OpenSSL Buffer Overflow Vulnerability) for CVE-2022-3602, with a Content Version of 8638.
Prisma Cloud
With Prisma Cloud, security teams can prepare to detect and remediate vulnerable systems as soon as a fix becomes available. Prisma Cloud customers can implement controls to address this vulnerability across various stages of the application lifecycle, from code to cloud. The Prisma Cloud Intelligence Stream is updated on a regular basis to incorporate known information about vulnerabilities. At this time, users are advised to upgrade all OpenSSL instances between 3.0.0 and 3.0.6 to version 3.0.7.Additional Information
References: