CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778
The Palo Alto Networks Product Security Assurance team is evaluating the OpenSSL infinite loop vulnerability (CVE-2022-0778) as it relates to our products.
This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a Denial-of-Service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.
The Cortex XSOAR product is not impacted by this vulnerability. However, PAN-OS, GlobalProtect app, and Cortex XDR agent software contain a vulnerable version of the OpenSSL library and product availability is impacted by this vulnerability. For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Access customers. This vulnerability has reduced severity on Cortex XDR agent and Global Protect app as successful exploitation requires an attacker-in-the-middle attack (MITM): 5.9 Medium (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
We are working diligently on fixes to remove the vulnerable code from our PAN-OS, GlobalProtect app, and Cortex XDR agent software. The fixed versions for hotfixes and other product upgrades will be updated as soon as possible.
This issue impacts:
PAN-OS 8.1 versions earlier than PAN-OS 8.1.23 (ETA April ‘22);
PAN-OS 9.0 versions earlier than PAN-OS 9.0.16-hf (ETA April ‘22);
PAN-OS 9.1 versions earlier than PAN-OS 9.1.13-hf (ETA April ‘22);
PAN-OS 10.0 versions earlier than PAN-OS 10.0.10 (ETA April ‘22);
PAN-OS 10.1 versions earlier than PAN-OS 10.1.5-hf (ETA April ‘22);
PAN-OS 10.2 versions earlier than PAN-OS 10.2.1 (ETA April ‘22).
The Prisma Access team continues to evaluate the impact of this vulnerability on the dataplane and will be in touch with Prisma Access customers.
This issue impacts all versions of GlobalProtect app and Cortex XDR agent.
| Versions | Affected | Unaffected |
|---|---|---|
| Cortex XDR Agent | all | |
| Cortex XSOAR | None | all |
| GlobalProtect App | all | |
| PAN-OS 10.2 | < 10.2.1 | >= 10.2.1 |
| PAN-OS 10.1 | < 10.1.5-hf | >= 10.1.5-hf |
| PAN-OS 10.0 | < 10.0.10 | >= 10.0.10 |
| PAN-OS 9.1 | < 9.1.13-hf | >= 9.1.13-hf |
| PAN-OS 9.0 | < 9.0.16-hf | >= 9.0.16-hf |
| PAN-OS 8.1 | < 8.1.23 | >= 8.1.23 |
| Prisma Access 3.0 | Preferred, Innovation | |
| Prisma Access 2.2 | Preferred | |
| Prisma Access 2.1 | Preferred, Innovation |
CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products.
We intend to fix this issue in the following releases: PAN-OS 8.1.23, PAN-OS 9.0.16-hf, PAN-OS 9.1.13-hf, PAN-OS 10.0.10, PAN-OS 10.1.5-hf, PAN-OS 10.2.1, and all later PAN-OS versions. These updates are expected to be available in April.
This advisory will be updated as more fixed version information becomes available. This includes the exact PAN-OS hotfix versions and Prisma Access, Cortex XDR agent, and GlobalProtect app releases.
There are currently no software updates available for this issue.
No workarounds or mitigations are available for Palo Alto Networks products at this time.
This security advisory will be continually updated with the latest fixed version information for all listed Palo Alto Networks products.
No, there is no Threat Prevention signature to mitigate this vulnerability.
Vulmon