06-08-2012 04:23 AM
Dear,
the palo's on our public internet are being scanned for vulnerabilities and other open issues. Last week scanning a issue regarding "OpenSSL ASN.1 Parsing Vulnerabilities port 443/tcp over SSL" on the portal website of the Palo for ssl-vpn access was detected and marked high.
The security officer now wants to get this solved in a few days. What can we do about it as shutting down SSL portal is not possible either.
Here the full data from this report.
"
QID: 38224
Category: General remote services
CVE ID: CVE-2003-0543, CVE-2003-0544, CVE-2003-0545, CVE-2005-1730
Vendor Reference: -
Bugtraq ID: 8732
Service Modified: 11/06/2009
User Modified: -
Edited: No
PCI Vuln: Yes
First Detected: 06/05/2012 at 18:01:45 (GMT+0200) Last Detected: 06/05/2012 at 18:01:45 (GMT+0200) Times Detected: 1
SOLUTION:
The OpenSSL Project released OpenSSL versions 0.9.6k and 0.9.7c to address these issues. Any application dynamically linked to OpenSSL
libraries should be restarted after applying fixes. Applications that are statically linked to OpenSSL libraries should be recompiled after upgrading
OpenSSL.
Red Hat released an advisory (RHSA-2003:291-01) to address these issues. Fixes may be applied with the Red Hat Update Agent. Manual fixes are
also listed in the advisory.
OpenPKG released advisory OpenPKG-SA-2003.044 to address these issues. Please see the advisory for details on obtaining and applying fixes.
Apple addressed these issues in MacOS X 10.2.8."
Anyone had the same issue ?
Regards
Geert
06-08-2012 10:00 AM
Hi Geert,
As of PAN-OS 4.0.0, we use OpenSLL 0.9.8p, which is not affected by this vulnerability. The Qualys scan cannot confirm the vulnerability exists, so it states it just to be thorough.
06-08-2012 08:59 AM
+1 to this.
I have an open ticket in regard to this as well.
If you have not opened a ticket with support, please do so it should help with the escalation for resolution
Thanks
James
06-08-2012 09:06 AM
Couple of clarification questions
What version of PANOS are you running and which VPN/GP client do you have installed - we are running 4.0.11 with NetConnect 1.3.3
Who is you scan provider? We are using Qualys (I believe)
Thanks
James
06-08-2012 10:00 AM
Hi Geert,
As of PAN-OS 4.0.0, we use OpenSLL 0.9.8p, which is not affected by this vulnerability. The Qualys scan cannot confirm the vulnerability exists, so it states it just to be thorough.
06-10-2012 08:22 AM
Hi,
yes we are running 4.0.9 and 4.0.10 ont two different cluster with both 1.3.3, and yes it is Qualys doing the scans.
So suppose we are safe, as since 4.0.0 the updated openssl is being used.
09-06-2012 10:05 PM
FYI on 4.1.X the OpenSSL version is also OpenSLL 0.9.8
06-10-2014 12:49 AM
Hello,
What version is open SSL Library in PANOS 5.0.x???
06-10-2014 12:56 AM
Hi.
PANOS have been used for OPEN SSL 0.9.8 and that has not vulnerability of Open SSL issue. But newer OpenSSL issue has got a problem of PAN and you should call and question your local SE and He can provide you proper information for the issue.
I have been always monitoring for you on the PAN community. 
Thanks.
06-10-2014 02:33 AM
Thanks Roh.
Your monitoring always gives me a scare.
Anyway, I need a detail version. For example, 0.9.8p or 0.9.8za or etc.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
