https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25277#M18422 <HTML><HEAD></HEAD><BODY><P>Couple of clarification questions</P><P>What version of PANOS are you running and which VPN/GP client do you have installed - we are running 4.0.11 with NetConnect 1.3.3</P><P>Who is you scan provider?&nbsp; We are using Qualys (I believe)</P><P>Thanks</P><P>James</P></BODY></HTML> Fri, 08 Jun 2012 16:06:13 GMT jcostello 2012-06-08T16:06:13Z https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25275#M18420 <HTML><HEAD></HEAD><BODY><P>Dear,</P><P></P><P>the palo's on our public internet are being scanned for vulnerabilities and other open issues. Last week scanning a issue regarding "<SPAN style="font-size: 8.0pt; font-family: &amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;; mso-fareast-font-family: &amp;quot;Times New Roman&amp;quot;; color: black; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;">OpenSSL ASN.1 Parsing Vulnerabilities port 443/tcp over SSL" <SPAN style="font-size: 10pt;"> on the portal website of the Palo for ssl-vpn access was detected and marked high.</SPAN></SPAN></P><P><SPAN style=": ; mso-fareast-language: EN-US; mso-bidi-language: AR-SA; color: black; font-size: 10pt; sans-serif&amp;quot: ; Times New Roman&amp;quot: ; mso-ansi-language: EN-US; font-family: &amp;quot; Arial&amp;quot: ; ,&amp;quot: ; mso-fareast-font-family: &amp;quot; ">The security officer now wants to get this solved in a few days. What can we do about it as shutting down SSL portal is not possible either.</SPAN></P><P><SPAN style=": ; mso-fareast-language: EN-US; mso-bidi-language: AR-SA; color: black; font-size: 10pt; sans-serif&amp;quot: ; Times New Roman&amp;quot: ; mso-ansi-language: EN-US; font-family: &amp;quot; Arial&amp;quot: ; ,&amp;quot: ; mso-fareast-font-family: &amp;quot; ">Here the full data from this report.</SPAN></P><P></P><P><SPAN style=": ; mso-fareast-language: EN-US; mso-bidi-language: AR-SA; color: black; font-size: 10pt; sans-serif&amp;quot: ; Times New Roman&amp;quot: ; mso-ansi-language: EN-US; font-family: &amp;quot; Arial&amp;quot: ; ,&amp;quot: ; mso-fareast-font-family: &amp;quot; ">"</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">QID: 38224</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">Category: General remote services</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">CVE ID: </SPAN><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;; color:blue;mso-ansi-language:EN-US">CVE-2003-0543</SPAN><SPAN style="font-size: 8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language:EN-US">, </SPAN><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:blue;mso-ansi-language: EN-US">CVE-2003-0544</SPAN><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;; color:black;mso-ansi-language:EN-US">, </SPAN><SPAN style="font-size:8.0pt; font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:blue;mso-ansi-language:EN-US">CVE-2003-0545</SPAN><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">, </SPAN><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;; color:blue;mso-ansi-language:EN-US">CVE-2005-1730</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">Vendor Reference: -</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">Bugtraq ID: </SPAN><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;; color:blue;mso-ansi-language:EN-US">8732</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">Service Modified: 11/06/2009</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">User Modified: -</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">Edited: No</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">PCI Vuln: Yes</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">First Detected: 06/05/2012 at 18:01:45 (GMT+0200) Last Detected: 06/05/2012 at 18:01:45 (GMT+0200) Times Detected: 1</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">SOLUTION:</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">The OpenSSL Project released OpenSSL versions 0.9.6k and 0.9.7c to address these issues. Any application dynamically linked to OpenSSL</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">libraries should be restarted after applying fixes. Applications that are statically linked to OpenSSL libraries should be recompiled after upgrading</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">OpenSSL.</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">Red Hat released an advisory (RHSA-2003:291-01) to address these issues. Fixes may be applied with the Red Hat Update Agent. Manual fixes are</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">also listed in the advisory.</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">OpenPKG released advisory OpenPKG-SA-2003.044 to address these issues. Please see the advisory for details on obtaining and applying fixes.</SPAN></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">Apple addressed these issues in MacOS X 10.2.8."</SPAN></P><P class="MsoNormal"></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">Anyone had the same issue ?</SPAN></P><P class="MsoNormal"></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">Regards</SPAN></P><P class="MsoNormal"></P><P class="MsoNormal" style="mso-layout-grid-align:none;text-autospace:none"><SPAN style="font-size:8.0pt;font-family:&amp;quot;Arial&amp;quot;,&amp;quot;sans-serif&amp;quot;;color:black;mso-ansi-language: EN-US">Geert<BR /></SPAN></P></BODY></HTML> Fri, 08 Jun 2012 11:23:35 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25275#M18420 gejac 2012-06-08T11:23:35Z https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25276#M18421 <HTML><HEAD></HEAD><BODY><P>+1 to this.</P><P>I have an open ticket in regard to this as well.</P><P>If you have not opened a ticket with support, please do so it should help with the escalation for resolution</P><P>Thanks</P><P>James</P></BODY></HTML> Fri, 08 Jun 2012 15:59:57 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25276#M18421 jcostello 2012-06-08T15:59:57Z https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25277#M18422 <HTML><HEAD></HEAD><BODY><P>Couple of clarification questions</P><P>What version of PANOS are you running and which VPN/GP client do you have installed - we are running 4.0.11 with NetConnect 1.3.3</P><P>Who is you scan provider?&nbsp; We are using Qualys (I believe)</P><P>Thanks</P><P>James</P></BODY></HTML> Fri, 08 Jun 2012 16:06:13 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25277#M18422 jcostello 2012-06-08T16:06:13Z https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25278#M18423 <HTML><HEAD></HEAD><BODY><P>Hi Geert,</P><P></P><P>As of PAN-OS 4.0.0, we use OpenSLL 0.9.8p, which is not affected by this vulnerability.&nbsp; The Qualys scan cannot confirm the vulnerability exists, so it states it just to be thorough.</P></BODY></HTML> Fri, 08 Jun 2012 17:00:18 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25278#M18423 tettema 2012-06-08T17:00:18Z https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25279#M18424 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>yes we are running 4.0.9 and 4.0.10 ont two different cluster&nbsp; with both 1.3.3, and yes it is Qualys doing the scans.</P><P>So suppose we are safe, as since 4.0.0 the updated openssl is being used.</P></BODY></HTML> Sun, 10 Jun 2012 15:22:31 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25279#M18424 gejac 2012-06-10T15:22:31Z https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25280#M18425 <HTML><HEAD></HEAD><BODY><P>FYI on 4.1.X the OpenSSL version is also <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"> OpenSLL 0.9.8</SPAN></P></BODY></HTML> Fri, 07 Sep 2012 05:05:07 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25280#M18425 vkelley 2012-09-07T05:05:07Z https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25281#M18426 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>What version is open SSL Library in PANOS 5.0.x???</P></BODY></HTML> Tue, 10 Jun 2014 07:49:02 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25281#M18426 KiCheon.Lee 2014-06-10T07:49:02Z https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25282#M18427 <HTML><HEAD></HEAD><BODY><P>Hi.</P><P></P><P>PANOS have been used for OPEN SSL 0.9.8 and that has not vulnerability of Open SSL issue. But newer OpenSSL issue has got a problem of PAN and you should call and question your local SE and He can provide you proper information for the issue.</P><P></P><P>I have been always monitoring for you on the PAN community. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>Thanks.</P></BODY></HTML> Tue, 10 Jun 2014 07:56:36 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25282#M18427 Retired Member 2014-06-10T07:56:36Z https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25283#M18428 <HTML><HEAD></HEAD><BODY><P>Thanks Roh.</P><P>Your monitoring always gives me a scare.</P><P>Anyway, I need a detail version. For example, 0.9.8p or 0.9.8za or etc.</P></BODY></HTML> Tue, 10 Jun 2014 09:33:25 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-high-vulnerability-issue/m-p/25283#M18428 KiCheon.Lee 2014-06-10T09:33:25Z