Palo Alto Networks Security Advisories / PAN-SA-2020-0010

PAN-SA-2020-0010 Informational: Cortex XSOAR: Impact of Linux and Docker vulnerabilities on Cortex XSOAR

Severity 0 · NONE
Attack Vector Not applicable
Scope Not applicable
Attack Complexity Not applicable
Confidentiality Impact NONE
Privileges Required Not applicable
Integrity Impact NONE
User Interaction Not applicable
Availability Impact NONE


Cortex XSOAR provides analysts with the option to specify the Docker image to use for running custom scripts and integrations. An analyst who has write permission to scripts or integrations is able to exploit Docker vulnerabilities such as CVE-2019-5736, or Linux kernel vulnerability such as CVE-2020-14386 to obtain root access on the Cortex XSOAR server.

Demisto Server does not use the docker exec command and does not expose a mechanism for an external attacker to manipulate or provide an attacker-controlled image for execution. Thus, CVE-2019-5736 does not increase exposure to an external attack.

CVE-2019-5021 is a vulnerability in Alpine Linux Docker images where the root password may be NULL. Cortex XSOAR has conducted a scan of all Docker images it maintains in its Docker Hub repository. Following the scan, we concluded that none of the Alpine-based images are affected by CVE-2019-5021 because they do not include either the shadow or linux-pam packages.

No Cortex XSOAR Docker images are impacted by CVE-2019-5021.

Product Status

Cortex XSOAR allNoneall

Severity: NONE

CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N)

Weakness Type

CWE-216 Containment Errors (Container Errors)


No Palo Alto Networks Cortex XSOAR product updates are required.

Upgrade Docker to the latest version (18.09.2 or later) as provided by your Linux vendor.

Upgrading affected Linux kernels to the latest available patch provided by your Linux vendor.

Workarounds and Mitigations

Mitigate CVE-2020-14386 by not running Docker containers as a root user. A non-root user within a container does not have access to raw packets (CAP_NET_RAW capability). Follow the Cortex XSOAR Hardening Guide to configure a non-root internal user for docker: .

Mitigate CVE-2019-5736 by disabling write access to scripts and integrations to untrusted analysts.


Initial publication
© 2023 Palo Alto Networks, Inc. All rights reserved.