PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
Informational
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the affected OSS package, PAN-OS does not offer any scenarios required for an attacker to successfully exploit these vulnerabilities and is not impacted.
| CVE | Summary |
|---|---|
| CVE-2017-8923 | This issue is only practical to exploit only when the memory limit is raised from its default to a value larger than 2 GiB. PAN-OS limits it to 128MB. |
| CVE-2017-9120 | Only impacts PHP scripts calling mysqli_real_escape_string(). PAN-OS does not make use of this function. |
| CVE-2017-18342 | Prerequisites for exploitating the vulnerable function do not exist on PAN-OS. |
| CVE-2020-12321 | Impacts only some Intel Wireless Bluetooth devices, which are not part of any products. |
| CVE-2020-12362 | Only impacts Intel(R) Graphics Drivers for Windows. Does not affect PAN-OS. |
| CVE-2020-13757 | The vulnerable API isn't used in PAN-OS. |
| CVE-2020-25717 | Though PAN-OS software contains Samba packages, there isn't a Samba file and print server that runs in PAN-OS software. This CVE can not be exploited on PAN-OS. |
| CVE-2021-20325 | The affected components are not present or not used in PAN-OS. |
| CVE-2021-21706 | This is a Windows-specific vulnerability, and does not impact PAN-OS. |
| CVE-2021-21708 | Only affects PHP scripts that use FILTER_VALIDATE_FLOAT. PAN-OS does not make use of this function. |
| CVE-2021-25217 | Prerequities for this CVE do not exist on PAN-OS. |
| CVE-2021-33910 | The vulnerable systemd software is not included in PAN-OS. |
| CVE-2021-44790 | PAN-OS does not use the vulnerable mod_lua or proxy forwarding. |
| CVE-2022-2526 | The vulnerable systemd software is not included in PAN-OS. |
| CVE-2022-29217 | The vulnerable package is not used in PAN-OS. |
| CVE-2022-29804 | The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS. |
| CVE-2022-30634 | The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS. |
| CVE-2022-31625 | PAN-OS does not use the affected PostgreSQL extension. |
| CVE-2022-31626 | PAN-OS does not make use of the vulnerable PHP PDO MySQL driver and hence not impacted. |
| CVE-2022-31628 | PAN-OS does not make use of the vulnerable phar functionality. |
| CVE-2022-31676 | There are no scenarios that enable successful exploitation of this vulnerability on PAN-OS. |
| CVE-2022-37454 | This issue is only practical to exploit only when the memory limit is raised from its default to a value larger than 4 GiB. PAN-OS has safer and restricted limits that do not enable exploting this vulnerability. |
| CVE-2022-38023 | Though PAN-OS software contains Samba packages, there isn't a Samba file and print server that runs in PAN-OS software. This CVE can not be exploited on PAN-OS. |
| CVE-2022-40897 | PAN-OS does not allow customers to install custom packages. |
| CVE-2022-41716 | The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS. |
| CVE-2022-42898 | The vulnerable function/feature krb5_pac_parse() is not called from PAN-OS. |
| CVE-2022-45198 | The GIF images that are processed come with PAN-OS and cannot be submitted through any form of user input, so this is not exploitable. |
| CVE-2022-45199 | The TIFF images that are processed come with PAN-OS and cannot be submitted through any form of user input, so this is not exploitable. |
| CVE-2023-20900 | There are no scenarios that enable successful exploitation of this vulnerability on PAN-OS. |
| CVE-2023-23931 | Vulnerable functions/features are not used in PAN-OS. Prerequities for this CVE do not exist on PAN-OS. |
| CVE-2023-25690 | PAN-OS does not use the vulnerable component mod_proxy or mod_rewrite. |
| CVE-2023-34058 | There are no scenarios that enable successful exploitation of this vulnerability on PAN-OS. |
| CVE-2023-34059 | There are no scenarios that enable successful exploitation of this vulnerability on PAN-OS. |
| CVE-2023-38408 | This issue affects ssh-agent, which is not used or enabled in PAN-OS. |
| CVE-2023-40217 | The vulnerable Python features are not used in PAN-OS. |
| CVE-2023-45283 | The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS. |
| CVE-2023-45284 | The CVE is specific to the Go distribution on Windows. Does not apply to PAN-OS. |
| CVE-2023-46324 | The affected component is not used in PAN-OS. |
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS | None | All |
Palo Alto Networks is not aware of any malicious exploitation of these issues in any of our products.
No software updates are required at this time.
Vulmon