Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0241.3 PAN-SA-2018-0015 OpenSSL in PAN-OS 21 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Palo Alto PAN-OS Operating System: PAN-OS Impact/Access: Access Privileged Data -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-0739 CVE-2018-0737 CVE-2018-0732 Reference: ASB-2018.0180 ASB-2018.0118 ASB-2018.0113 ESB-2018.3049 ESB-2018.2944 ESB-2018.2941 Revision History: November 21 2018: Updated mitigation section October 25 2018: Updated list of affected products and information on available patches October 12 2018: Initial Release OVERVIEW Palo Alto Networks has addressed vulnerabilities from the third party software OpenSSL in the following versions: o PAN-OS 6.1.20 and earlier, o PAN-OS 7.1.20 and earlier, o PAN-OS 8.0.13 and earlier, o PAN-OS 8.1.3 and earlier o WF-500 running WF-500 software versions PAN-OS 6.1.20 and earlier PAN-OS 7.1.20 and earlier, PAN-OS 8.0.13 and earlier, and PAN-OS 8.1.3 and earlier [1] IMPACT The vendor provided the following detail on the vulnerability: "The OpenSSL library has been found to contain vulnerabilities CVE-2018-0732, CVE-2018-0737, and CVE-2018-0739" [1] "The OpenSSL library in use by PAN-OS is patched on a regular basis." [1] MITIGATION There are updates available for the following versions of PAN-OS: o PAN-OS 7.1.21 and later, o PAN-OS 8.0.14 and later, o PAN-OS 8.1.4 and later, o WF-500 running WF-500 software version 8.0.14 and later, o WF-500 running WF-500 software version 8.1.4 and later. The vendor states that PAN-OS 6.1 will NOT have a fix. [1] The vendor states that: "For WF-500 software versions 7.1 and earlier, please consult the WildFire Administrator's Guide for steps to upgrade the software." [1] REFERENCES [1] PAN-SA-2018-0015 OpenSSL in PAN-OS https://securityadvisories.paloaltonetworks.com/Home/Detail/133 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW/UDTGaOgq3Tt24GAQhKABAA2sn28VyzePejHGiXjmU3Bhu0B5QAGmPf hztHjtpAQNemiWC7tQoQqVoIIhcibp6IydqEOCYe7spm45zP6QYCg6+jVn2D8/kZ 1wfBKrxh3FULYJPsn6NqD6l7CqH8RIRNz+VNUHEk9gu1VBXO2H0wHP6REmCdiH/C YEt+gIrOQzz98/mM0vsg3nrx83tXCv2+H8bM7y6bO4Q5GRbRcZPVNkrrPl245M32 ke2UG81gfykpfm9aeG7ILS2O0I1eGAqex0zb5GMjbLFfKPh27ZefIHxmsPVlho5j UzWOwxAa/29MuBMc9rwqM3ZIzJwRAmtuqfCrdyb8jwFpiqS76BmaT3QMN5MGxDXj jSnT5EQCPGsdVlkr+hyHKfwdkfWDLalbFvcqvZVdKsJsPY1d7LRlN9Cg+f9jQAmo BbBBjyb1M6BWKJMUD2X8Ett/jyG9I22uwMMFxuoLzgMOYWoMk9JR/TVdgAfqq4wk ghpakjYZ73q1oT0yJuOUHQ9+KPDCb+xjXPn0V417TSCB8EMjkGYYPP4bq5dDmsk5 kMSH4iXme0uFXn/i0zSgs/Ec+K4vta2qfvn/r6vXQtn788r10ADh4ccDlwZZhyKt SStXUohBCbuTjaouFB+vvh/f1209d/0PbLJwcWySeKyK63+iSAHwkwnF8dkbMiim +6/etQ5v7KY= =p2rl -----END PGP SIGNATURE-----