PAN-SA-2020-0007 Informational: Third-party or open source vulnerabilities that do not impact Palo Alto Networks Products
Attack Vector
Not applicable
Scope
Not applicable
Attack Complexity
Not applicable
Confidentiality Impact
NONE
Privileges Required
Not applicable
Integrity Impact
NONE
User Interaction
Not applicable
Availability Impact
NONE
Description
The Palo Alto Networks Product Security Assurance team has evaluated and determined that these third-party or open source vulnerabilities do not have any security impact on PAN-OS or that the scenarios required for successful exploitation do not exist on devices running a PAN-OS release.
The conditions required to exploit jQuery vulnerabilities CVE-2020-11022 and CVE-2020-11023 do not exist in PAN-OS software. However, out of an abundance of caution, the jQuery library was upgraded to a fixed version that does not contain the vulnerable code in PAN-OS 8.1.19, PAN-OS 9.0.13, PAN-OS 9.1.8, and all later PAN-OS versions.
| CVE | CVSS | Summary |
|---|---|---|
| CVE-2020-11896 | 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11897 | 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11898 | 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11899 | 5.4 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11900 | 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11901 | 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11902 | 7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11903 | 6.5 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11904 | 7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11905 | 6.5 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11906 | 6.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11907 | 6.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11908 | 4.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11909 | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11910 | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11911 | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11912 | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11913 | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2020-11914 | 4.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) | This vulnerability in Treck TCP/IP stack (also known as Ripple20) does not impact PAN-OS software. |
| CVE-2013-7459 | 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) | This vulnerability in pycrypto does not affect PAN-OS software. |
| CVE-2018-1122 | 7.0 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) | Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2018-16402 | 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) | Conditions required for exploiting this vulnerability in libelf do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2020-11022 | 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) | Conditions required for exploiting this vulnerability in jQuery do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2020-11023 | 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) | Conditions required for exploiting this vulnerability in jQuery do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2018-1121 | 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) | Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2018-1120 | 5.3 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) | Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2018-1123 | 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) | Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
| CVE-2018-1124 | 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) | Conditions required for exploiting this vulnerability in procps-ng do not exist in PAN-OS software. Hence PAN-OS software is not impacted. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS all | None | All |
Severity: NONE
CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N)
Weakness Type
Solution
No product updates are required for these issues.
The jQuery library used in PAN-OS 8.1.19, PAN-OS 9.0.13, PAN-OS 9.1.8, and all later PAN-OS versions does not contain the vulnerable code used to exploit vulnerabilities CVE-2020-11022 and CVE-2020-11023.
Timeline
Added versions of PAN-OS that upgrade jQuery to a fixed version
Initial publication