{"document":{"category":"csaf_vex","csaf_version":"2.1","notes":[{"category":"summary","text":"Palo Alto Networks PSIRT provided VEX document. This document is autogenerated.","title":"OpenSSL Man-in-the-middle vulnerability"}],"publisher":{"category":"vendor","name":"Palo Alto Networks","namespace":"https://security.paloaltonetworks.com"},"title":"Palo Alto Networks PSIRT provided VEX document: CVE-2014-0224","distribution":{"text":"Copyright © 2024 Palo Alto Networks. All rights reserved.","tlp":{"label":"CLEAR","url":"https://www.first.org/tlp/"}},"tracking":{"current_release_date":"2026-04-11T00:53:33.368Z","generator":{"date":"2026-04-11T00:53:33.368Z","engine":{"name":"Vulnogram","version":"0.0.9"}},"id":"CVE-2014-0224","initial_release_date":"2014-06-09T07:00:00.000Z","revision_history":[{"number":"1","date":"2026-04-10T17:53:33.000Z","summary":"Initial release"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"name":"Palo Alto Networks","category":"vendor","branches":[]}]},"vulnerabilities":[{"cve":"CVE-2014-0224","product_status":{"known_not_affected":["PANW-PAN-OS-485","PANW-PAN-OS-486","PANW-PAN-OS-487"]},"notes":[{"category":"description","text":"The Palo Alto Networks product security engineering team has completed analysis of our products' exposure to the vulnerabilities described in the OpenSSL Security Advisory dated June 5th, 2014.  Of the 7 CVEs highlighted in the advisory, only CVE-2014-0224 is relevant to our software.  The remaining vulnerabilities to not apply because we do not use or support use of Datagram Transport Layer Security (DTLS), nor do we use anonymous Elliptic curve Diffie-Hellman (ECDH) on our software clients.  Our exposure to CVE-2014-0224 is limited because both client and server must be vulnerable.  While our client-side is vulnerable, the server-side is not.  This limits exposure to potential man-in-the-middle (MITM) attacks only to sessions our software initiates with servers outside of our control that are running a vulnerable version of OpenSSL (OpenSSL 1.0.1 and 1.0.2-beta1).  As such, services that may be vulnerable to MITM depending on customer configuration include: firewall services using SSL configured to use a proxy running a vulnerable OpenSSL server, syslog over SSL to a syslog server running a  vulnerable OpenSSL server, and the User-ID agent connecting to a directory server running a vulnerable OpenSSL server.  GlobalProtect is not vulnerable because our portal and gateway servers are not vulnerable.\n\nIn response to these issues, Palo Alto Networks is including a patch to the OpenSSL software used across our products with the next scheduled maintenance release for all supported versions of PAN-OS / Panorama, User-ID agent, and GlobalProtect.  Users can mitigate their exposure by ensuring that any servers described above are not running vulnerable versions of OpenSSL (1.0.1 and 1.0.2-beta1).  If customers have any further questions related to product exposure to this OpenSSL security advisory, they can contact support.\nThis issue requires an attacker to be able to act as a man-in-the-middle to certain firewall services, such as syslog, User-ID agent, or services between PAN-OS / Panorama and a proxy.  The issue further requires that the servers that PAN-OS / Panorama initiates connections with to perform these services are also vulnerable to CVE-2014-0224.\n\nGlobalProtect VPN is not vulnerable, as the PAN-OS Portal and Gateway servers are not vulnerable.\nThis issue affects All versions of PAN-OS / Panorama."}],"references":[{"category":"external","summary":"NVD - CVE-2014-0224","url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0224"},{"category":"self","summary":"Palo Alto Networks Security Advisory CVE-2014-0224","url":"https://security.paloaltonetworks.com/CVE-2014-0224"}],"threats":[{"category":"impact","description":"The Palo Alto Networks product security engineering team has completed analysis of our products' exposure to the vulnerabilities described in the OpenSSL Security Advisory dated June 5th, 2014.  Of the 7 CVEs highlighted in the advisory, only CVE-2014-0224 is relevant to our software.  The remaining vulnerabilities to not apply because we do not use or support use of Datagram Transport Layer Security (DTLS), nor do we use anonymous Elliptic curve Diffie-Hellman (ECDH) on our software clients.  Our exposure to CVE-2014-0224 is limited because both client and server must be vulnerable.  While our client-side is vulnerable, the server-side is not.  This limits exposure to potential man-in-the-middle (MITM) attacks only to sessions our software initiates with servers outside of our control that are running a vulnerable version of OpenSSL (OpenSSL 1.0.1 and 1.0.2-beta1).  As such, services that may be vulnerable to MITM depending on customer configuration include: firewall services using SSL configured to use a proxy running a vulnerable OpenSSL server, syslog over SSL to a syslog server running a  vulnerable OpenSSL server, and the User-ID agent connecting to a directory server running a vulnerable OpenSSL server.  GlobalProtect is not vulnerable because our portal and gateway servers are not vulnerable.\n\nIn response to these issues, Palo Alto Networks is including a patch to the OpenSSL software used across our products with the next scheduled maintenance release for all supported versions of PAN-OS / Panorama, User-ID agent, and GlobalProtect.  Users can mitigate their exposure by ensuring that any servers described above are not running vulnerable versions of OpenSSL (1.0.1 and 1.0.2-beta1).  If customers have any further questions related to product exposure to this OpenSSL security advisory, they can contact support.\nThis issue requires an attacker to be able to act as a man-in-the-middle to certain firewall services, such as syslog, User-ID agent, or services between PAN-OS / Panorama and a proxy.  The issue further requires that the servers that PAN-OS / Panorama initiates connections with to perform these services are also vulnerable to CVE-2014-0224.\n\nGlobalProtect VPN is not vulnerable, as the PAN-OS Portal and Gateway servers are not vulnerable.\nThis issue affects All versions of PAN-OS / Panorama."}],"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH"},"products":[]}]}]}