PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
Informational
Description
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the affected OSS package, PAN-OS does not offer any scenarios required for an attacker to successfully exploit these vulnerabilities and is not impacted.
| CVE | Summary |
|---|---|
| CVE-2015-7552 | PAN-OS is not affected as the affected components are not present or not used in PAN-OS. |
| CVE-2018-16840 | PAN-OS is not affected as the underlying operating system used by PAN-OS is not affected. |
| CVE-2020-7774 | PAN-OS is not affected as the affected components are not present or not used in PAN-OS. |
| CVE-2020-17049 | PAN-OS is not affected as the affected components are not present or not used in PAN-OS. |
| CVE-2021-4160 | PAN-OS is not affected as the affected components are not present or not used in PAN-OS. |
| CVE-2021-22570 | PAN-OS is not affected as the underlying operating system used by PAN-OS is not affected. |
| CVE-2021-41773 | PAN-OS is not affected as PAN-OS does not use the vulnerable httpd versions. |
| CVE-2022-1343 | PAN-OS is not affected as PAN-OS does not use the vulnerable OpenSSL versions. |
| CVE-2022-2274 | PAN-OS is not affected as PAN-OS does not use the vulnerable OpenSSL versions. |
| CVE-2022-3358 | PAN-OS is not affected as PAN-OS does not use the vulnerable OpenSSL versions. |
| CVE-2022-3996 | PAN-OS is not affected as the underlying operating system used by PAN-OS is not affected. |
| CVE-2022-22965 | PAN-OS is not affected as the affected components are not present or not used in PAN-OS. |
| CVE-2023-1255 | PAN-OS is not affected as PAN-OS does not use the vulnerable OpenSSL versions. |
| CVE-2023-3341 | PAN-OS is not affected as the affected components are not present or not used in PAN-OS. |
| CVE-2023-4236 | PAN-OS is not affected as the affected components are not present or not used in PAN-OS. |
| CVE-2023-4863 | PAN-OS is not affected as PAN-OS does not process untrusted images with pillow. |
| CVE-2023-22809 | PAN-OS is not affected as the affected components are not present or not used in PAN-OS. |
| CVE-2023-51767 | PAN-OS is not affected as no realistic scenarios exist where it is practical to exploit this issue. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS | None | All |
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of these issues in any of our products.
Solution
No software updates are required at this time.