Palo Alto Networks Security Advisories / CVE-2017-5715

CVE-2017-5715 Meltdown and Spectre update for WildFire-500 Appliance

047910
Severity 5.6 · MEDIUM
Attack Vector LOCAL
Attack Complexity HIGH
Privileges Required LOW
User Interaction NONE
Scope CHANGED
Confidentiality Impact HIGH
Integrity Impact NONE
Availability Impact NONE

Description

Palo Alto Networks has determined that the WildFire-500 (WF-500) appliance is affected by the vulnerability disclosures known as Meltdown and Spectre, and has completed an update to address these issues. The WF-500 software update is now available to customers that use the WF-500 appliance for on-premise sandboxing. Please note that customers using the WildFire cloud service are NOT impacted by this advisory. (PAN-91139/CVE-2017-5715)

Successful exploitation of this issue may allow reads from the guest image to the host residing in a sandbox appliance. The analysis method utilized by the WF-500 mitigates the impact of this issue.

This issue affects WF-500 (WildFire Appliance) running appliance software versions 8.0.9 and earlier; all versions of 7.1, 7.0, and 6.1. Please note: WF-500 appliance software versions 8.1.0 and later are not impacted by this advisory.

Product Status

VersionsAffectedUnaffected
WildFire Appliance 8.0<= 8.0.9>= 8.0.10
WildFire Appliance 7.1None>= 7.1

Severity: MEDIUM

CVSSv3.1 Base Score: 5.6 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)

Weakness Type

CWE-200 Information Exposure

Solution

WF-500 appliance software version 8.0.10 and later. For WF-500 appliance software versions 7.1 and earlier, please consult the Administrator’s Guide for steps to upgrade (https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/set-up-and-manage-a-wildfire-appliance/upgrade-a-wildfire-appliance#idbce6a8ca-f900-4a49-b28b-de089139ce93).

Workarounds and Mitigations

Customers not using the WF-500 WildFire Appliance are not impacted by this advisory. Customers using the WildFire cloud are not impacted by this advisory.

© 2020 Palo Alto Networks, Inc. All rights reserved.