Palo Alto Networks Security Advisories / PAN-SA-2024-0001

PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS


Informational

Description

The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the affected OSS package, PAN-OS does not offer any scenarios required for an attacker to successfully exploit these vulnerabilities and is not impacted.

CVESummary
CVE-2017-8923This issue is only practical to exploit only when the memory limit is raised from its default to a value larger than 2 GiB. PAN-OS limits it to 128MB.
CVE-2017-9120This only impacts PHP scripts calling mysqli_real_escape_string(). PAN-OS does not make use of this function.
CVE-2017-18342Prerequisites for exploitating the vulnerable function do not exist on PAN-OS.
CVE-2019-16865PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2019-16905PAN-OS is not affected as our OpenSSH build does not support XMSS.
CVE-2019-19911PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2020-0466Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2020-5310PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2020-5313PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2020-7760CodeMirror bundled in PAN-OS does not have vulnerable code parts
CVE-2020-10379PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2020-11538PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2020-12321This only impacts some Intel Wireless Bluetooth devices, which are not part of any products.
CVE-2020-12362This only impacts Intel(R) Graphics Drivers for Windows. Does not affect PAN-OS.
CVE-2020-13757The vulnerable API isn't used in PAN-OS.
CVE-2020-15778File uploads to PAN-OS can only be initiated from within the PAN-OS firewall CLI. This CVE requires initiating the file upload from an external system, so PAN-OS is not affected.
CVE-2020-25211Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2020-25717Though PAN-OS software contains Samba packages, there isn't a Samba file and print server that runs in PAN-OS software. This CVE can not be exploited on PAN-OS.
CVE-2020-29661Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2020-35653PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2020-35654PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2020-36385Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-0512Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-0920Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-3347Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-3501Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-3609Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-4028Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-4083Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-4154Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-4155Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-20325The affected components are not present or not used in PAN-OS.
CVE-2021-21706This is a Windows-specific vulnerability, and does not impact PAN-OS.
CVE-2021-21708This only affects PHP scripts that use FILTER_VALIDATE_FLOAT. PAN-OS does not make use of this function.
CVE-2021-22543Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-22555Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-25217Prerequities for this CVE do not exist on PAN-OS.
CVE-2021-25289PAN-OS is not affected by this CVE as the underlying operating system used by PAN-OS is not affected.
CVE-2021-25290PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2021-25291PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2021-25293PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2021-26708Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-27364Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-27365Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-27921PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2021-27922PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2021-27923PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2021-28676PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2021-28677PAN-OS is not affected as PAN-OS does not process untrusted images with pillow.
CVE-2021-32399Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-33034Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-33909Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-33910The vulnerable systemd software is not included in PAN-OS.
CVE-2021-36368PAN-OS is not affected as the underlying operating system used by PAN-OS is not affected
CVE-2021-37576Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2021-43267The affected functionality does not exist in the kernel version used by PAN-OS.
CVE-2021-44790PAN-OS does not use the vulnerable mod_lua or proxy forwarding.
CVE-2022-0185Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-0330Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-0492Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-0516Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-0847Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-1158Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-1292PAN-OS is not affected as the "c_rehash" script affected by this CVE is not shipped with PAN-OS.
CVE-2022-1729Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-2068PAN-OS is not affected as the "c_rehash" script affected by this CVE is not shipped with PAN-OS.
CVE-2022-2526The vulnerable systemd software is not included in PAN-OS.
CVE-2022-2588Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-2639Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-2964Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-4139Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-4378Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-22721Exploit requires request body to be 350 MB. The request size in PAN-OS is 1MB. Therefore, this CVE does not impact PAN-OS.
CVE-2022-22817PAN-OS does not make use of the ImageMath module. Therefore, its eval() method is never called.
CVE-2022-22942Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-24303PAN-OS is not affected by this CVE as the underlying operating system components used by PAN-OS are not affected.
CVE-2022-25636Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-27666Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-28331PAN-OS is not affected as the underlying OS components used in PAN-OS are not affected.
CVE-2022-28615No code distributed with the httpd server can exploit this flaw and the vulnerable function is not used in PAN-OS.
CVE-2022-29217The vulnerable package is not used in PAN-OS.
CVE-2022-29804The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS.
CVE-2022-30634The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS.
CVE-2022-31625PAN-OS does not use the affected PostgreSQL extension.
CVE-2022-31626PAN-OS does not make use of the vulnerable PHP PDO MySQL driver and hence not impacted.
CVE-2022-31628PAN-OS does not make use of the vulnerable phar functionality.
CVE-2022-31676There are no scenarios that enable successful exploitation of this vulnerability on PAN-OS.
CVE-2022-32250Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-36760PAN-OS is not affected as PAN-OS does not use the vulnerable mod_proxy_ajp.
CVE-2022-37454This issue is only practical to exploit only when the memory limit is raised from its default to a value larger than 4 GiB. PAN-OS has safer and restricted limits that do not enable exploting this vulnerability.
CVE-2022-38023Though PAN-OS software contains Samba packages, there isn't a Samba file and print server that runs in PAN-OS software. This CVE can not be exploited on PAN-OS.
CVE-2022-40897PAN-OS does not allow customers to install custom packages.
CVE-2022-41222Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2022-41716The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS.
CVE-2022-42898The vulnerable function/feature krb5_pac_parse() is not called from PAN-OS.
CVE-2022-45198The GIF images that are processed come with PAN-OS and cannot be submitted through any form of user input, so this is not exploitable.
CVE-2022-45199The TIFF images that are processed come with PAN-OS and cannot be submitted through any form of user input, so this is not exploitable.
CVE-2023-0386Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-0461Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-1281Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-1829Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-2235Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-3090Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-3390Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-3609Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-3611Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-3776Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-3812Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-4004Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-4206Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-4207Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-4208Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-4622Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-4623Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-4921Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-5178The affected kernel component is not used by PAN-OS.
CVE-2023-5633Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-6546Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-6817Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-20900There are no scenarios that enable successful exploitation of this vulnerability on PAN-OS.
CVE-2023-23931The vulnerable functions/features are not used in PAN-OS. Prerequities for this CVE do not exist on PAN-OS.
CVE-2023-25690PAN-OS does not use the vulnerable component mod_proxy or mod_rewrite.
CVE-2023-31436Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-32233Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-34058There are no scenarios that enable successful exploitation of this vulnerability on PAN-OS.
CVE-2023-34059There are no scenarios that enable successful exploitation of this vulnerability on PAN-OS.
CVE-2023-35001Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-35788Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-37920The vulnerable component is not used in PAN-OS.
CVE-2023-38408This issue affects ssh-agent, which is not used or enabled in PAN-OS.
CVE-2023-40217The vulnerable Python features are not used in PAN-OS.
CVE-2023-42753Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-45283The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS.
CVE-2023-45284The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS.
CVE-2023-45871Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2023-46324The affected component is not used in PAN-OS.
CVE-2023-51384This issue affects ssh-agent, which is not used or enabled in PAN-OS.
CVE-2023-51385The ssh configuration file on PAN-OS does not contain the vulnerable configuration settings. Therefore, PAN-OS is not affected.
CVE-2023-51781Exploit requires shell access on PAN-OS, or ability to run arbitrary binaries. This is not possible on PAN-OS as only Palo Alto Network's signed binaries and scripts can be run. System enters maintenance mode if system files are tampered with.
CVE-2024-4577This is a Windows-specific vulnerability, and does not impact PAN-OS.

Product Status

VersionsAffectedUnaffected
PAN-OS NoneAll

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of these issues in any of our products.

Solution

No software updates are required at this time.

© 2024 Palo Alto Networks, Inc. All rights reserved.