PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
Informational
Description
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the affected OSS package, PAN-OS does not offer any scenarios required for an attacker to successfully exploit these vulnerabilities and is not impacted.
| CVE | Summary |
|---|---|
| CVE-2016-4607 | PAN-OS is not affected as the underlying operating system components used by PAN-OS are not affected. |
| CVE-2016-4608 | PAN-OS is not affected as the underlying operating system components used by PAN-OS are not affected. |
| CVE-2016-4609 | PAN-OS is not affected as the underlying operating system components used by PAN-OS are not affected. |
| CVE-2016-4738 | PAN-OS is not affected as the underlying operating system components used by PAN-OS are not affected. |
| CVE-2018-1111 | PAN-OS is not affected as PAN-OS does not use NetworkManager. |
| CVE-2018-14634 | PAN-OS is not affected as the underlying operating system components used by PAN-OS are not affected |
| CVE-2018-18653 | PAN-OS is not affected as this is an issue with Ubuntu. |
| CVE-2019-0145 | PAN-OS is not affected as PAN-OS uses a fixed version of the i40e driver |
| CVE-2019-8331 | PAN-OS is not affected as PAN-OS does not use a vulnerable version of bootstrap |
| CVE-2020-0599 | PAN-OS is not affected as PAN-OS does not use the vulnerable processors. |
| CVE-2020-14779 | PAN-OS is not affected as the Java in PAN-OS comes from ElasticSearch, and ElasticSearch is not affected. |
| CVE-2020-27844 | PAN-OS is not affected as the openjpeg2 implementation used in PAN-OS is not affected. |
| CVE-2020-29569 | PAN-OS is not affected as CONFIG_XEN_BLKDEV_BACKEND is not enabled on PAN-OS. |
| CVE-2021-3618 | PAN-OS is not affected as the NGINX used in PAN-OS is not built with mail_ssl_module |
| CVE-2021-27853 | PAN-OS is not affected since it does not offer Layer 2 network filtering capabilities that take action based on analysis of Layer 2 traffic, such as RA Guard, Dynamic ARP Inspection, DHCP Security, or Secure IPv6 Neighbor Discovery. |
| CVE-2021-27854 | PAN-OS is not affected since it does not offer Layer 2 network filtering capabilities that take action based on analysis of Layer 2 traffic, such as RA Guard, Dynamic ARP Inspection, DHCP Security, or Secure IPv6 Neighbor Discovery. |
| CVE-2021-27861 | PAN-OS is not affected since it does not offer Layer 2 network filtering capabilities that take action based on analysis of Layer 2 traffic, such as RA Guard, Dynamic ARP Inspection, DHCP Security, or Secure IPv6 Neighbor Discovery. |
| CVE-2021-27862 | PAN-OS is not affected since it does not offer Layer 2 network filtering capabilities that take action based on analysis of Layer 2 traffic, such as RA Guard, Dynamic ARP Inspection, DHCP Security, or Secure IPv6 Neighbor Discovery. |
| CVE-2022-22816 | PAN-OS is not affected as PAN-OS does not process untrusted images with pillow. |
| CVE-2022-40303 | PAN-OS is not affected as the libxml2 used in PAN-OS is not compiled with XML_PARSE_HUGE. |
| CVE-2022-41723 | PAN-OS is not affected as PAN-OS does not use http2 server |
| CVE-2022-41741 | PAN-OS is not affected as the NGINX used in PAN-OS is not built with ngx_http_mp4_module |
| CVE-2022-41742 | PAN-OS is not affected as the NGINX used in PAN-OS is not built with ngx_http_mp4_module |
| CVE-2023-3247 | PAN-OS is not affected as PAN-OS does not support SOAP requests. |
| CVE-2023-44466 | PAN-OS is not affected as the kernel used in PAN-OS does not support v2 messages. |
| CVE-2023-50781 | PAN-OS is not affected as the m2crypto implementation used by PAN-OS is not affected. |
| CVE-2023-50782 | PAN-OS is not affected as PAN-OS does not use PKCSv1.15 for RSA decryption. |
| GHSA-56pw-mpj4-fxww | PAN-OS is not affected as PAN-OS does not process untrusted images with pillow. |
| GHSA-jgpv-4h4c-xhw3 | PAN-OS is not affected as PAN-OS does not process untrusted images with pillow. |
| PRISMA-2021-0010 | PAN-OS is not affected as PAN-OS does not process untrusted images with pillow. |
| PRISMA-2021-0015 | PAN-OS is not affected as PAN-OS does not process untrusted images with pillow. |
| PRISMA-2022-0168 | PAN-OS is not affected as PAN-OS does not allow users to download packages using pip. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS | None | All |
Required Configuration for Exposure
PAN-OS is not vulnerable under any configuration.
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Workarounds and Mitigations
No workarounds or mitigations are needed.