https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cve-2022-0778-mitigation-with-threat-prevention/m-p/479179#M1582 <P>FWIW: PaloAlto just sent out release notices for PAN-OS v9.1.13-h3 and v10.1.5-h1 and they are on the download servers now&nbsp; (weren't there a couple hours ago). The release notes give a single patch:</P><TABLE><TBODY><TR><TD><DIV><DIV class=""><DIV><DIV>PAN-190175 and PAN-190223</DIV></DIV></DIV></DIV></TD><TD><DIV><DIV class=""><DIV>A fix was made to address an OpenSSL infinite loop vulnerability in the PAN-OS software (<A title="" href="https://security.paloaltonetworks.com/CVE-2022-0778" target="_blank" rel="noopener">CVE-2022-0778</A>).</DIV></DIV></DIV></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>No updates on the servers yet for GP clients.</P> Fri, 08 Apr 2022 00:27:54 GMT Adrian_Jensen 2022-04-08T00:27:54Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cve-2022-0778-mitigation-with-threat-prevention/m-p/479121#M1580 <P>Hi,</P><P>&nbsp;</P><P>Following the CVE-2022-0778 vulnerability, I would like to apply the workaround to reduce the risk of attack until the PAN-OS update is released.</P><P>&nbsp;</P><P>According to the security ticket, you have to activate the Threat IDs 92409 and 92411 but how to do it ?</P><P>&nbsp;</P><P>I found this link but I'm not sure of the procedure: <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC</A></P><P>&nbsp;</P><P>Thanks in advance for your help</P> Thu, 07 Apr 2022 21:06:07 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cve-2022-0778-mitigation-with-threat-prevention/m-p/479121#M1580 feelgood 2022-04-07T21:06:07Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cve-2022-0778-mitigation-with-threat-prevention/m-p/479143#M1581 <P>Yeah, that is not very clear to me either... It looks like threats 92409 and 92411 are already enabled, both are set to "reset-server" connection by default. CVE-2022-0778 affects lots of OpenSSL integrated products, not just PAN-OS, so perhaps the workaround is meant more specifically for blocking exploits against devices behind the PA.</P> Thu, 07 Apr 2022 22:35:46 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cve-2022-0778-mitigation-with-threat-prevention/m-p/479143#M1581 Adrian_Jensen 2022-04-07T22:35:46Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cve-2022-0778-mitigation-with-threat-prevention/m-p/479179#M1582 <P>FWIW: PaloAlto just sent out release notices for PAN-OS v9.1.13-h3 and v10.1.5-h1 and they are on the download servers now&nbsp; (weren't there a couple hours ago). The release notes give a single patch:</P><TABLE><TBODY><TR><TD><DIV><DIV class=""><DIV><DIV>PAN-190175 and PAN-190223</DIV></DIV></DIV></DIV></TD><TD><DIV><DIV class=""><DIV>A fix was made to address an OpenSSL infinite loop vulnerability in the PAN-OS software (<A title="" href="https://security.paloaltonetworks.com/CVE-2022-0778" target="_blank" rel="noopener">CVE-2022-0778</A>).</DIV></DIV></DIV></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>No updates on the servers yet for GP clients.</P> Fri, 08 Apr 2022 00:27:54 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cve-2022-0778-mitigation-with-threat-prevention/m-p/479179#M1582 Adrian_Jensen 2022-04-08T00:27:54Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cve-2022-0778-mitigation-with-threat-prevention/m-p/479241#M1583 <P>Thank you for your feedback.</P><P>&nbsp;</P><P>Yes, I can see the release on PAN-OS 9.1 and 10.1 on Software Update but not yet 8.1.</P><P>&nbsp;</P><P>Thank you for your feedback.</P> Fri, 08 Apr 2022 07:45:54 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cve-2022-0778-mitigation-with-threat-prevention/m-p/479241#M1583 feelgood 2022-04-08T07:45:54Z