{"document":{"category":"csaf_vex","csaf_version":"2.1","notes":[{"category":"summary","text":"Palo Alto Networks PSIRT provided VEX document. This document is autogenerated.","title":"Impact of OpenSSL 3.0 Vulnerabilities CVE-2022-3786 and CVE-2022-3602"}],"publisher":{"category":"vendor","name":"Palo Alto Networks","namespace":"https://security.paloaltonetworks.com"},"title":"Palo Alto Networks PSIRT provided VEX document: PAN-SA-2022-0006","distribution":{"text":"Copyright © 2024 Palo Alto Networks. All rights reserved.","tlp":{"label":"CLEAR","url":"https://www.first.org/tlp/"}},"tracking":{"current_release_date":"2026-07-15T00:46:58.354Z","generator":{"date":"2026-07-15T00:46:58.354Z","engine":{"name":"vulnogram","version":"0.1.0-rc1"}},"id":"PAN-SA-2022-0006","initial_release_date":"2022-10-31T23:38:00.000Z","revision_history":[{"number":"1","date":"2022-10-31T16:38:00.000Z","summary":"Initial publication"},{"number":"2","date":"2022-11-01T09:30:00.000Z","summary":"Updated advisory to reference the CVEs"},{"number":"3","date":"2022-11-01T21:45:00.000Z","summary":"A threat prevention signature is now available for CVE-2022-3602"},{"number":"4","date":"2022-11-02T19:40:00.000Z","summary":"Cortex XDR Broker VM 17.4.1 is released and removes OpenSSL 3.0 for security assurance"},{"number":"5","date":"2022-11-09T09:00:00.000Z","summary":"Investigation is complete"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"name":"Palo Alto Networks","category":"vendor","branches":[{"name":"PAN-OS","category":"product_name","branches":[{"category":"product_version","name":"PAN-OS All","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-1"}}]},{"name":"Cortex XDR Agent","category":"product_name","branches":[{"category":"product_version","name":"Cortex XDR Agent All","product":{"name":"Palo Alto Networks Cortex XDR Agent","product_id":"PANW-Cortex-XDR-Agent-1"}}]},{"name":"GlobalProtect App","category":"product_name","branches":[{"category":"product_version","name":"GlobalProtect App All","product":{"name":"Palo Alto Networks GlobalProtect App","product_id":"PANW-GlobalProtect-App-1"}}]},{"name":"Cortex XSOAR","category":"product_name","branches":[{"category":"product_version","name":"Cortex XSOAR All","product":{"name":"Palo Alto Networks Cortex XSOAR","product_id":"PANW-Cortex-XSOAR-4"}}]},{"name":"WildFire Appliance (WF-500)","category":"product_name","branches":[{"category":"product_version","name":"WildFire Appliance (WF-500) All","product":{"name":"Palo Alto Networks WildFire Appliance (WF-500)","product_id":"PANW-WildFire-Appliance-(WF-500)-1"}}]},{"name":"Expanse","category":"product_name","branches":[{"category":"product_version","name":"Expanse All","product":{"name":"Palo Alto Networks Expanse","product_id":"PANW-Expanse-1"}}]},{"name":"Okyo Garde","category":"product_name","branches":[{"category":"product_version","name":"Okyo Garde All","product":{"name":"Palo Alto Networks Okyo Garde","product_id":"PANW-Okyo-Garde-1"}}]},{"name":"Palo Alto Networks App for Splunk","category":"product_name","branches":[{"category":"product_version","name":"Palo Alto Networks App for Splunk All","product":{"name":"Palo Alto Networks Palo Alto Networks App for Splunk","product_id":"PANW-Palo-Alto-Networks-App-for-Splunk-1"}}]},{"name":"Prisma Cloud Compute","category":"product_name","branches":[{"category":"product_version","name":"Prisma Cloud Compute All","product":{"name":"Palo Alto Networks Prisma Cloud Compute","product_id":"PANW-Prisma-Cloud-Compute-1"}}]},{"name":"Expedition Migration Tool","category":"product_name","branches":[{"category":"product_version","name":"Expedition Migration Tool All","product":{"name":"Palo Alto Networks Expedition Migration Tool","product_id":"PANW-Expedition-Migration-Tool-1"}}]},{"name":"IoT Security","category":"product_name","branches":[{"category":"product_version","name":"IoT Security All","product":{"name":"Palo Alto Networks IoT Security","product_id":"PANW-IoT-Security-1"}}]},{"name":"User-ID Agent","category":"product_name","branches":[{"category":"product_version","name":"User-ID Agent All","product":{"name":"Palo Alto Networks User-ID Agent","product_id":"PANW-User-ID-Agent-1"}}]},{"name":"Exact Data Matching CLI","category":"product_name","branches":[{"category":"product_version","name":"Exact Data Matching CLI All","product":{"name":"Palo Alto Networks Exact Data Matching CLI","product_id":"PANW-Exact-Data-Matching-CLI-1"}}]},{"name":"Bridgecrew","category":"product_name","branches":[{"category":"product_version","name":"Bridgecrew All","product":{"name":"Palo Alto Networks Bridgecrew","product_id":"PANW-Bridgecrew-1"}}]},{"name":"Cortex Xpanse","category":"product_name","branches":[{"category":"product_version","name":"Cortex Xpanse All","product":{"name":"Palo Alto Networks Cortex Xpanse","product_id":"PANW-Cortex-Xpanse-1"}}]},{"name":"Enterprise Data Loss Prevention","category":"product_name","branches":[{"category":"product_version","name":"Enterprise Data Loss Prevention All","product":{"name":"Palo Alto Networks Enterprise Data Loss Prevention","product_id":"PANW-Enterprise-Data-Loss-Prevention-1"}}]},{"name":"Prisma SD-WAN (CloudGenix)","category":"product_name","branches":[{"category":"product_version","name":"Prisma SD-WAN (CloudGenix) All","product":{"name":"Palo Alto Networks Prisma SD-WAN (CloudGenix)","product_id":"PANW-Prisma-SD-WAN-(CloudGenix)-1"}}]},{"name":"Prisma SD-WAN ION","category":"product_name","branches":[{"category":"product_version","name":"Prisma SD-WAN ION All","product":{"name":"Palo Alto Networks Prisma SD-WAN ION","product_id":"PANW-Prisma-SD-WAN-ION-1"}}]},{"name":"SaaS Security","category":"product_name","branches":[{"category":"product_version","name":"SaaS Security All","product":{"name":"Palo Alto Networks SaaS Security","product_id":"PANW-SaaS-Security-1"}}]},{"name":"Cortex Data Lake","category":"product_name","branches":[{"category":"product_version","name":"Cortex Data Lake All","product":{"name":"Palo Alto Networks Cortex Data Lake","product_id":"PANW-Cortex-Data-Lake-1"}}]},{"name":"AutoFocus","category":"product_name","branches":[{"category":"product_version","name":"AutoFocus All","product":{"name":"Palo Alto Networks AutoFocus","product_id":"PANW-AutoFocus-1"}}]},{"name":"WildFire Cloud","category":"product_name","branches":[{"category":"product_version","name":"WildFire Cloud All","product":{"name":"Palo Alto Networks WildFire Cloud","product_id":"PANW-WildFire-Cloud-1"}}]},{"name":"Prisma Cloud","category":"product_name","branches":[{"category":"product_version","name":"Prisma Cloud All","product":{"name":"Palo Alto Networks Prisma Cloud","product_id":"PANW-Prisma-Cloud-1"}}]},{"name":"Cloud NGFW","category":"product_name","branches":[{"category":"product_version","name":"Cloud NGFW All","product":{"name":"Palo Alto Networks Cloud NGFW","product_id":"PANW-Cloud-NGFW-1"}}]},{"name":"Prisma Access","category":"product_name","branches":[{"category":"product_version","name":"Prisma Access All","product":{"name":"Palo Alto Networks Prisma Access","product_id":"PANW-Prisma-Access-1"}}]},{"name":"Cortex XDR","category":"product_name","branches":[{"category":"product_version","name":"Cortex XDR All","product":{"name":"Palo Alto Networks Cortex XDR","product_id":"PANW-Cortex-XDR-1"}}]}]}]},"vulnerabilities":[{"cve":"CVE-2022-3786","product_status":{"known_not_affected":["PANW-PAN-OS-1","PANW-Cortex-XDR-Agent-1","PANW-GlobalProtect-App-1","PANW-Cortex-XSOAR-4","PANW-WildFire-Appliance-(WF-500)-1","PANW-Expanse-1","PANW-Okyo-Garde-1","PANW-Palo-Alto-Networks-App-for-Splunk-1","PANW-Prisma-Cloud-Compute-1","PANW-Expedition-Migration-Tool-1","PANW-IoT-Security-1","PANW-User-ID-Agent-1","PANW-Exact-Data-Matching-CLI-1","PANW-Bridgecrew-1","PANW-Cortex-Xpanse-1","PANW-Enterprise-Data-Loss-Prevention-1","PANW-Prisma-SD-WAN-(CloudGenix)-1","PANW-Prisma-SD-WAN-ION-1","PANW-SaaS-Security-1","PANW-Cortex-Data-Lake-1","PANW-AutoFocus-1","PANW-WildFire-Cloud-1","PANW-Prisma-Cloud-1","PANW-Cloud-NGFW-1","PANW-Prisma-Access-1","PANW-Cortex-XDR-1"]},"notes":[{"category":"description","text":"A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects."}],"references":[{"category":"external","summary":"NVD - CVE-2022-3786","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3786"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2022-0006","url":"https://security.paloaltonetworks.com/PAN-SA-2022-0006"}],"threats":[{"category":"impact","description":"A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects."}]},{"cve":"CVE-2022-3602","product_status":{"known_not_affected":["PANW-PAN-OS-1","PANW-Cortex-XDR-Agent-1","PANW-GlobalProtect-App-1","PANW-Cortex-XSOAR-4","PANW-WildFire-Appliance-(WF-500)-1","PANW-Expanse-1","PANW-Okyo-Garde-1","PANW-Palo-Alto-Networks-App-for-Splunk-1","PANW-Prisma-Cloud-Compute-1","PANW-Expedition-Migration-Tool-1","PANW-IoT-Security-1","PANW-User-ID-Agent-1","PANW-Exact-Data-Matching-CLI-1","PANW-Bridgecrew-1","PANW-Cortex-Xpanse-1","PANW-Enterprise-Data-Loss-Prevention-1","PANW-Prisma-SD-WAN-(CloudGenix)-1","PANW-Prisma-SD-WAN-ION-1","PANW-SaaS-Security-1","PANW-Cortex-Data-Lake-1","PANW-AutoFocus-1","PANW-WildFire-Cloud-1","PANW-Prisma-Cloud-1","PANW-Cloud-NGFW-1","PANW-Prisma-Access-1","PANW-Cortex-XDR-1"]},"notes":[{"category":"description","text":"A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6)."}],"references":[{"category":"external","summary":"NVD - CVE-2022-3602","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3602"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2022-0006","url":"https://security.paloaltonetworks.com/PAN-SA-2022-0006"}],"threats":[{"category":"impact","description":"A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6)."}]}]}