This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PAN-SA-2019-0020 ... really?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN-SA-2019-0020 ... really?

Remo
L7 Applicator

‎07-24-2019 10:29 AM

Hello Paloalto Team

 

Last thursday you published the securityadvisory for a critical RCE vulnerability and today you notified the customers again with an "Action recommended" article here: https://live.paloaltonetworks.com/t5/Customer-Advisories/Action-Recommended-Recent-Security-Advisory...

 

In this article you write about that even if this vulnerability has been patched a while ago there are still customers that are running a vulnerable version. Did you really expect something else when you try to keep a critical vulnerability secret for more than a year? I mean, good that you found it and released a fix for it but even with internal discoveries you need to go public with it - obviously this is my personal opinion. This is the fault of Paloalto that many customers are exposed to a critical RCE vulnerability for more than a year. It probably would still be a secret if not someone else found this RCE, so you were forced to go public.

 

Probably some hard words but for a security company like Paloalto this was disappointing. No one is expecting perfect software. Everyone knows there are bugs and vulnerabilities. But specially with vulnerabilities there is a right and a wrong way to deal with. So now you have to live with the criticism of the security community ...

 

Regards,

Remo

4 people had this problem.
0 Likes Likes
2 REPLIES 2

Chacko42
L4 Transporter

‎08-29-2019 04:03 AM

@Remo May I ask, where you got the information, that the vulnerability would be known for more than a year?

Maybe I missed something in the security advisory or CVE, but I cannot find this information

Best Regards
Chacko
0 Likes Likes

Remo
L7 Applicator
In response to Chacko42

‎08-29-2019 04:45 AM

Hi @Chacko42 

Here are the release dates of the PAN-OS versions where this vulnerability was fixed:

8.1.3 --> 08/13/2018

8.0.12 --> 08/09/2018

7.1.19 --> 07/28/2018

 

Luckily(/hopefully) it was not publicly known, but because Paloalto has released fixed versions one year ago, this means the company knew about this critical vulnerability ... and the security advisory by Paloalto (from July 2019) was only published because external security researchers also found this vulnerability ...

  • 4613 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks