Palo Alto Networks Security Advisories / PAN-SA-2020-0007

PAN-SA-2020-0007 Informational: Third-party or open source vulnerabilities that do not impact Palo Alto Networks Products

047910
Severity 0 · NONE
Attack Vector Not applicable
Scope Not applicable
Attack Complexity Not applicable
Confidentiality Impact NONE
Privileges Required Not applicable
Integrity Impact NONE
User Interaction Not applicable
Availability Impact NONE

Description

The Palo Alto Networks Product Security Assurance team has evaluated and determined that these third-party or open source vulnerabilities do not have any security impact on PAN-OS or that the scenarios required for successful exploitation do not exist on devices running a PAN-OS release.

The conditions required to exploit jQuery vulnerabilities CVE-2020-11022 and CVE-2020-11023 do not exist in PAN-OS software. However, out of an abundance of caution, the jQuery library was upgraded to a fixed version that does not contain the vulnerable code in PAN-OS 8.1.19, PAN-OS 9.0.13, PAN-OS 9.1.8, and all later PAN-OS versions.

CVECVSSSummary
CVE-2020-1189610.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-1189710.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-118989.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-118995.4 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119008.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119019.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119027.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119036.5 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119047.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119056.5 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119066.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119076.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119084.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119095.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119105.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119115.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119125.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119135.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2020-119144.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software.
CVE-2013-74599.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)This vulnerability in pycrypto does not affect PAN-OS software.
CVE-2018-11227.0 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted.
CVE-2018-164029.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)Conditions required for exploiting this vulnerability in libelf do not exist in PAN-OS software. Hence PAN-OS software is not impacted.
CVE-2020-110226.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)Conditions required for exploiting this vulnerability in jQuery do not exist in PAN-OS software. Hence PAN-OS software is not impacted.
CVE-2020-110236.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)Conditions required for exploiting this vulnerability in jQuery do not exist in PAN-OS software. Hence PAN-OS software is not impacted.
CVE-2018-11215.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted.
CVE-2018-11205.3 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted.
CVE-2018-11237.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted.
CVE-2018-11247.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted.

Product Status

VersionsAffectedUnaffected
PAN-OS allNoneall

Severity:NONE

CVSSv3.1 Base Score:0 (CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N)

Weakness Type

Solution

No product updates are required for these issues.

The jQuery library used in PAN-OS 8.1.19, PAN-OS 9.0.13, PAN-OS 9.1.8, and all later PAN-OS versions does not contain the vulnerable code used to exploit vulnerabilities CVE-2020-11022 and CVE-2020-11023.

Timeline

Added versions of PAN-OS that upgrade jQuery to a fixed version
Initial publication
© 2022 Palo Alto Networks, Inc. All rights reserved.