CVE-2024-5535 Informational Bulletin: Impact of OpenSSL Vulnerabilities CVE-2024-5535 and CVE-2024-6119
Informational
Description
The Palo Alto Networks Product Security Assurance team has evaluated CVE-2024-5535 and CVE-2024-6119 as they relate to our products.
PAN-OS, Cloud NGFW, Prisma Access, and Cortex XDR Agent are not affected by CVE-2024-5535 or CVE-2024-6119.
At present, no other Palo Alto Networks products are known to contain the vulnerable software packages and be impacted by these issues.
| CVE | Summary |
|---|---|
| CVE-2024-5535 | The vulnerable function, SSL_select_next_proto, is not used in the products listed, making them unaffected. Other circumstances required for this vulnerability do not exist in our products. |
| CVE-2024-6119 | PAN-OS software does not use an affected version of OpenSSL. Cortex XDR agent uses the FIPS OpenSSL module and is therefore unaffected. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| Cortex XDR agent | None | All |
| PAN-OS | None | All |
| Prisma Access | None | All |
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Solution
No software updates are required at this time.
Timeline
Added statement for CVE-2024-6119
Initial publication