PAN-SA-2022-0007 Impact of OpenSSL 3.0 Vulnerability CVE-2022-3996

Palo Alto Networks Security Advisories / PAN-SA-2022-0007

PAN-SA-2022-0007 Impact of OpenSSL 3.0 Vulnerability CVE-2022-3996

Severity 0 · NONE

Attack Vector Not applicable

Scope Not applicable

Attack Complexity Not applicable

Confidentiality Impact NONE

Privileges Required Not applicable

Integrity Impact NONE

User Interaction Not applicable

Availability Impact NONE

JSON CSAF

Published 2022-12-23

Updated 2022-12-23

Reference PAN-SA-2022-0007

Discovered externally

Description

The OpenSSL Project has published a vulnerability CVE-2022-3996 that affects OpenSSL versions 3.0.0 through 3.0.7 on December 13, 2022. Exploitation of this vulnerability can result in a denial of service to an impacted application on Windows systems.

The Palo Alto Networks Product Security Assurance team has evaluated and confirmed that all products and services are not impacted by this vulnerability.

CVE	Summary
CVE-2022-3996	If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling either `X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()' functions.

CVE

Summary

CVE-2022-3996

If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling either `X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()' functions.

Product Status

Versions	Affected	Unaffected
WildFire Cloud	None	All
WildFire Appliance (WF-500)	None	All
User-ID Agent	None	All
SaaS Security	None	All
Prisma SD-WAN ION	None	All
Prisma SD-WAN (CloudGenix)	None	All
Prisma Cloud Compute	None	All
Prisma Cloud	None	All
Prisma Access	None	All
PAN-OS	None	All
Palo Alto Networks App for Splunk	None	All
Okyo Garde	None	All
IoT Security	None	All
GlobalProtect App	None	All
Expedition Migration Tool	None	All
Expanse	None	All
Exact Data Matching CLI	None	All
Enterprise Data Loss Prevention	None	All
Cortex XSOAR	None	All
Cortex Xpanse	None	All
Cortex XDR Agent	None	All
Cortex XDR	None	All
Cortex Data Lake	None	All
Cloud NGFW	None	All
Bridgecrew	None	All
AutoFocus	None	All

Severity: NONE

CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products.

Weakness Type

CWE-667 Improper Locking

Solution

No software updates are required at this time.

NOTE: Cortex XDR Broker VM versions earlier than Cortex XDR Broker VM 17.4.1 contain an affected version of the OpenSSL 3.0 library but are not impacted. There are no scenarios in Cortex XDR Broker VM software that enable successful exploitation of these vulnerabilities. The OpenSSL 3.0 library has been removed from Cortex XDR Broker VM 17.4.1 and later versions for security assurance.

Workarounds and Mitigations

There are no known workarounds for this issue.

Timeline

2022-12-23 Initial publication