PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
Informational
Description
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the affected OSS package, PAN-OS does not offer any scenarios required for an attacker to successfully exploit these vulnerabilities and is not impacted.
| CVE | Summary |
|---|---|
| CVE-2017-8923 | This issue is only practical to exploit only when the memory limit is raised from its default to a value larger than 2 GiB. PAN-OS limits it to 128MB. |
| CVE-2017-9120 | This only impacts PHP scripts calling mysqli_real_escape_string(). PAN-OS does not make use of this function. |
| CVE-2017-18342 | Prerequisites for exploitating the vulnerable function do not exist on PAN-OS. |
| CVE-2020-0466 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2020-12321 | This only impacts some Intel Wireless Bluetooth devices, which are not part of any products. |
| CVE-2020-12362 | This only impacts Intel(R) Graphics Drivers for Windows. Does not affect PAN-OS. |
| CVE-2020-13757 | The vulnerable API isn't used in PAN-OS. |
| CVE-2020-15778 | Uploading files to PAN-OS via SCP is not supported, so PAN-OS is not affected. |
| CVE-2020-25211 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2020-25717 | Though PAN-OS software contains Samba packages, there isn't a Samba file and print server that runs in PAN-OS software. This CVE can not be exploited on PAN-OS. |
| CVE-2020-29661 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2020-36385 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-0512 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-0920 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-3347 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-3501 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-3609 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-4028 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-4083 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-4154 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-4155 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-20325 | The affected components are not present or not used in PAN-OS. |
| CVE-2021-21706 | This is a Windows-specific vulnerability, and does not impact PAN-OS. |
| CVE-2021-21708 | This only affects PHP scripts that use FILTER_VALIDATE_FLOAT. PAN-OS does not make use of this function. |
| CVE-2021-22543 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-22555 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-25217 | Prerequities for this CVE do not exist on PAN-OS. |
| CVE-2021-26708 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-27364 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-27365 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-32399 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-33034 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-33909 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-33910 | The vulnerable systemd software is not included in PAN-OS. |
| CVE-2021-37576 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2021-43267 | The affected functionality does not exist in the kernel version used by PAN-OS. |
| CVE-2021-44790 | PAN-OS does not use the vulnerable mod_lua or proxy forwarding. |
| CVE-2022-0185 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-0330 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-0492 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-0516 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-0847 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-1158 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-1729 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-2526 | The vulnerable systemd software is not included in PAN-OS. |
| CVE-2022-2588 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-2639 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-2964 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-4139 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-4378 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-22817 | PAN-OS does not make use of the ImageMath module. Therefore, its eval() method is never called. |
| CVE-2022-22942 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-25636 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-27666 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-29217 | The vulnerable package is not used in PAN-OS. |
| CVE-2022-29804 | The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS. |
| CVE-2022-30634 | The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS. |
| CVE-2022-31625 | PAN-OS does not use the affected PostgreSQL extension. |
| CVE-2022-31626 | PAN-OS does not make use of the vulnerable PHP PDO MySQL driver and hence not impacted. |
| CVE-2022-31628 | PAN-OS does not make use of the vulnerable phar functionality. |
| CVE-2022-31676 | There are no scenarios that enable successful exploitation of this vulnerability on PAN-OS. |
| CVE-2022-32250 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-37454 | This issue is only practical to exploit only when the memory limit is raised from its default to a value larger than 4 GiB. PAN-OS has safer and restricted limits that do not enable exploting this vulnerability. |
| CVE-2022-38023 | Though PAN-OS software contains Samba packages, there isn't a Samba file and print server that runs in PAN-OS software. This CVE can not be exploited on PAN-OS. |
| CVE-2022-40897 | PAN-OS does not allow customers to install custom packages. |
| CVE-2022-41222 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2022-41716 | The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS. |
| CVE-2022-42898 | The vulnerable function/feature krb5_pac_parse() is not called from PAN-OS. |
| CVE-2022-45198 | The GIF images that are processed come with PAN-OS and cannot be submitted through any form of user input, so this is not exploitable. |
| CVE-2022-45199 | The TIFF images that are processed come with PAN-OS and cannot be submitted through any form of user input, so this is not exploitable. |
| CVE-2023-0386 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-0461 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-1281 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-1829 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-2235 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-3090 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-3390 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-3609 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-3611 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-3776 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-3812 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-4004 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-4206 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-4207 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-4208 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-4622 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-4623 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-4921 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-5178 | The affected kernel component is not used by PAN-OS. |
| CVE-2023-5633 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-6546 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-6817 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-20900 | There are no scenarios that enable successful exploitation of this vulnerability on PAN-OS. |
| CVE-2023-23931 | The vulnerable functions/features are not used in PAN-OS. Prerequities for this CVE do not exist on PAN-OS. |
| CVE-2023-25690 | PAN-OS does not use the vulnerable component mod_proxy or mod_rewrite. |
| CVE-2023-31436 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-32233 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-34058 | There are no scenarios that enable successful exploitation of this vulnerability on PAN-OS. |
| CVE-2023-34059 | There are no scenarios that enable successful exploitation of this vulnerability on PAN-OS. |
| CVE-2023-35001 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-35788 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-38408 | This issue affects ssh-agent, which is not used or enabled in PAN-OS. |
| CVE-2023-40217 | The vulnerable Python features are not used in PAN-OS. |
| CVE-2023-42753 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-45283 | The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS. |
| CVE-2023-45284 | The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS. |
| CVE-2023-45871 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
| CVE-2023-46324 | The affected component is not used in PAN-OS. |
| CVE-2023-51781 | Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS | None | All |
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of these issues in any of our products.
Solution
No software updates are required at this time.