Palo Alto Networks Security Advisories / PAN-SA-2023-0001

PAN-SA-2023-0001 Impact of OpenSSL Vulnerabilities Disclosed Feb 7, 2023


Informational

Description

The Palo Alto Networks Product Security Assurance team has evaluated the OpenSSL vulnerabilities that were disclosed on February 7, 2023 (CVE-2023-0286, CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, and CVE-2023-0401) as it relates to our products. At this time, there are no demonstrated scenarios that enable successful exploitation of these vulnerabilities in our products.

Product Status

VersionsAffectedUnaffected
AutoFocus Noneall
Bridgecrew Noneall
Cloud NGFW Noneall
Cortex Data Lake Noneall
Cortex XDR Noneall
Cortex XDR Agent Noneall
Cortex Xpanse Noneall
Cortex XSOAR Noneall
Enterprise Data Loss Prevention Noneall
Exact Data Matching CLI Noneall
Expanse Noneall
Expedition Migration Tool Noneall
GlobalProtect App Noneall
IoT Security Noneall
Okyo Garde Noneall
Palo Alto Networks App for Splunk Noneall
PAN-OS Noneall
Prisma Access Noneall
Prisma Cloud Noneall
Prisma Cloud Compute Noneall
Prisma SD-WAN (CloudGenix) Noneall
Prisma SD-WAN ION Noneall
SaaS Security Noneall
User-ID Agent Noneall
WildFire Appliance (WF-500) Noneall
WildFire Cloud Noneall

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products.

Solution

Out of an abundance of caution, OpenSSL has been upgraded or patched in the following products to address the underlying code defects that result in these vulnerabilities:

For PAN-OS, these changes will be available in PAN-OS 10.2.5, PAN-OS 11.0.2, and all later PAN-OS versions.

For GlobalProtect app, these changes will be available in GlobalProtect app 6.0.6 and later GlobalProtect app versions.

Timeline

Initial publication
© 2023 Palo Alto Networks, Inc. All rights reserved.