Last revised: 04/27/2012
The OpenSSL library implementation is vulnerable to a plain text recovery attack by performing timing analysis of the time required to decrypt encrypted data. A detailed report of this issue is available at http://www.isg.rhul.ac.uk/~kp/dtls.pdf. (Ref #36017)
This vulnerability can theoretically result in plain text recovery of a web management UI session, leading to possible session hijack and control of the device.
PAN-OS 4.1.2 and earlier; PAN-OS 4.0.9 and earlier; PAN-OS 3.1.11 and earlier.
PAN-OS 4.1.3 and later; PAN-OS 4.0.10 and later; PAN-OS 3.1.12 and later.
This issue affects the management interface of the device. Security appliance management best practices dictate that the management interface be isolated and strictly limited only to security administration personnel.