PAN-SA-2020-0007 Informational: Third-party or open source vulnerabilities that do not impact Palo Alto Networks Products
Informational
Description
The Palo Alto Networks Product Security Assurance team has evaluated and determined that these third-party or open source vulnerabilities do not have any security impact on PAN-OS or that the scenarios required for successful exploitation do not exist on devices running a PAN-OS release.
The conditions required to exploit jQuery vulnerabilities CVE-2020-11022 and CVE-2020-11023 do not exist in PAN-OS software. However, out of an abundance of caution, the jQuery library was upgraded to a fixed version that does not contain the vulnerable code in PAN-OS 8.1.19, PAN-OS 9.0.13, PAN-OS 9.1.8, and all later PAN-OS versions.
| CVE | Summary |
|---|---|
| CVE-2020-11896 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11897 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11898 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11899 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11900 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11901 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11902 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11903 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11904 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11905 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11906 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11907 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11908 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11909 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11910 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11911 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11912 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11913 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11914 | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2013-7459 | This vulnerability in pycrypto does not affect PAN-OS software. |
| CVE-2018-1122 | Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2018-16402 | Conditions required for exploiting this vulnerability in libelf do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2020-11022 | Conditions required for exploiting this vulnerability in jQuery do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2020-11023 | Conditions required for exploiting this vulnerability in jQuery do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2018-1121 | Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2018-1120 | Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2018-1123 | Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2018-1124 | Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS all | None | All |
Solution
No product updates are required for these issues.
The jQuery library used in PAN-OS 8.1.19, PAN-OS 9.0.13, PAN-OS 9.1.8, and all later PAN-OS versions does not contain the vulnerable code used to exploit vulnerabilities CVE-2020-11022 and CVE-2020-11023.
Timeline
Added versions of PAN-OS that upgrade jQuery to a fixed version
Initial publication