Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778

The Palo Alto Networks Product Security Assurance team has evaluated the OpenSSL infinite loop vulnerability (CVE-2022-0778) as it relates to our products.

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a Denial-of-Service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

The Prisma Cloud and Cortex XSOAR products are not impacted by this vulnerability. However, PAN-OS, GlobalProtect app, and Cortex XDR agent software contain a vulnerable version of the OpenSSL library and product availability is impacted by this vulnerability. For PAN-OS software, this includes both hardware and virtual firewalls and Panorama appliances as well as Prisma Access customers. This vulnerability has reduced severity on Cortex XDR agent and GlobalProtect app as successful exploitation requires a meddler-in-the-middle attack (MITM): 5.9 Medium (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

All fixed versions of Cortex XDR agent, GlobalProtect app, and PAN-OS are now available.

Work around:
Customers with a Threat Prevention subscription can block known attacks for this vulnerability by enabling Threat IDs 92409 and 92411 (Applications and Threats content update 8552). This mitigation reduces the risk of exploitation from known exploits.

Customers will need to upgrade their products to a fixed version to completely remove the risk of this issue.