Palo Alto Networks Security Advisories / PAN-SA-2022-0007

PAN-SA-2022-0007 Impact of OpenSSL 3.0 Vulnerability CVE-2022-3996


047910
Severity 0 · NONE
Attack Vector Not applicable
Scope Not applicable
Attack Complexity Not applicable
Confidentiality Impact NONE
Privileges Required Not applicable
Integrity Impact NONE
User Interaction Not applicable
Availability Impact NONE

Description

The OpenSSL Project has published a vulnerability CVE-2022-3996 that affects OpenSSL versions 3.0.0 through 3.0.7 on December 13, 2022. Exploitation of this vulnerability can result in a denial of service to an impacted application on Windows systems.

The Palo Alto Networks Product Security Assurance team has evaluated and confirmed that all products and services are not impacted by this vulnerability.

CVESummary
CVE-2022-3996If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling either `X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()' functions.

Product Status

VersionsAffectedUnaffected
WildFire Cloud NoneAll
WildFire Appliance (WF-500) NoneAll
User-ID Agent NoneAll
SaaS Security NoneAll
Prisma SD-WAN ION NoneAll
Prisma SD-WAN (CloudGenix) NoneAll
Prisma Cloud Compute NoneAll
Prisma Cloud NoneAll
Prisma Access NoneAll
PAN-OS NoneAll
Palo Alto Networks App for Splunk NoneAll
Okyo Garde NoneAll
IoT Security NoneAll
GlobalProtect App NoneAll
Expedition Migration Tool NoneAll
Expanse NoneAll
Exact Data Matching CLI NoneAll
Enterprise Data Loss Prevention NoneAll
Cortex XSOAR NoneAll
Cortex Xpanse NoneAll
Cortex XDR Agent NoneAll
Cortex XDR NoneAll
Cortex Data Lake NoneAll
Cloud NGFW NoneAll
Bridgecrew NoneAll
AutoFocus NoneAll

Severity: NONE

CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products.

Weakness Type

CWE-667 Improper Locking

Solution

No software updates are required at this time.

NOTE: Cortex XDR Broker VM versions earlier than Cortex XDR Broker VM 17.4.1 contain an affected version of the OpenSSL 3.0 library but are not impacted. There are no scenarios in Cortex XDR Broker VM software that enable successful exploitation of these vulnerabilities. The OpenSSL 3.0 library has been removed from Cortex XDR Broker VM 17.4.1 and later versions for security assurance.

Workarounds and Mitigations

There are no known workarounds for this issue.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.