PANOS OpenSSL Updates

The Palo Alto Networks Product Security Assurance team is evaluating the OpenSSL infinite loop vulnerability (CVE-2022-0778) as it relates to our products.

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a Denial-of-Service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

The Cortex XSOAR product is not impacted by this vulnerability. However, PAN-OS, GlobalProtect app, and Cortex XDR agent software contain a vulnerable version of the OpenSSL library and product availability is impacted by this vulnerability. For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Access customers. This vulnerability has reduced severity on Cortex XDR agent and Global Protect app as successful exploitation requires an attacker-in-the-middle attack (MITM): 5.9 Medium (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

We are working diligently on fixes to remove the vulnerable code from our PAN-OS, GlobalProtect app, and Cortex XDR agent software. The fixed versions for hotfixes and other product upgrades will be updated as soon as possible.

This issue impacts:

PAN-OS 8.1 versions earlier than PAN-OS 8.1.23 (ETA April ‘22);

PAN-OS 9.0 versions earlier than PAN-OS 9.0.16-hf (ETA April ‘22);

PAN-OS 9.1 versions earlier than PAN-OS 9.1.13-hf (ETA April ‘22);

PAN-OS 10.0 versions earlier than PAN-OS 10.0.10 (ETA April ‘22);

PAN-OS 10.1 versions earlier than PAN-OS 10.1.5-hf (ETA April ‘22);

PAN-OS 10.2 versions earlier than PAN-OS 10.2.1 (ETA April ‘22).

The Prisma Access team continues to evaluate the impact of this vulnerability on the dataplane and will be in touch with Prisma Access customers.

This issue impacts all versions of GlobalProtect app and Cortex XDR agent.

Product Status

Cortex XDR Agentall
Cortex XSOARNoneall
GlobalProtect Appall
PAN-OS 10.2< 10.2.1>= 10.2.1
PAN-OS 10.1< 10.1.5-hf>= 10.1.5-hf
PAN-OS 10.0< 10.0.10>= 10.0.10
PAN-OS 9.1< 9.1.13-hf>= 9.1.13-hf
PAN-OS 9.0< 9.0.16-hf>= 9.0.16-hf
PAN-OS 8.1< 8.1.23>= 8.1.23
Prisma Access 3.0Preferred, Innovation
Prisma Access 2.2Preferred
Prisma Access 2.1Preferred, Innovation