PAN-SA-2019-0020 ... really?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN-SA-2019-0020 ... really?

L7 Applicator

Hello Paloalto Team

 

Last thursday you published the securityadvisory for a critical RCE vulnerability and today you notified the customers again with an "Action recommended" article here: https://live.paloaltonetworks.com/t5/Customer-Advisories/Action-Recommended-Recent-Security-Advisory...

 

In this article you write about that even if this vulnerability has been patched a while ago there are still customers that are running a vulnerable version. Did you really expect something else when you try to keep a critical vulnerability secret for more than a year? I mean, good that you found it and released a fix for it but even with internal discoveries you need to go public with it - obviously this is my personal opinion. This is the fault of Paloalto that many customers are exposed to a critical RCE vulnerability for more than a year. It probably would still be a secret if not someone else found this RCE, so you were forced to go public.

 

Probably some hard words but for a security company like Paloalto this was disappointing. No one is expecting perfect software. Everyone knows there are bugs and vulnerabilities. But specially with vulnerabilities there is a right and a wrong way to deal with. So now you have to live with the criticism of the security community ...

 

Regards,

Remo

2 REPLIES 2

L4 Transporter

@Remo May I ask, where you got the information, that the vulnerability would be known for more than a year?

Maybe I missed something in the security advisory or CVE, but I cannot find this information

Best Regards
Chacko

Hi @Chacko42 

Here are the release dates of the PAN-OS versions where this vulnerability was fixed:

8.1.3 --> 08/13/2018

8.0.12 --> 08/09/2018

7.1.19 --> 07/28/2018

 

Luckily(/hopefully) it was not publicly known, but because Paloalto has released fixed versions one year ago, this means the company knew about this critical vulnerability ... and the security advisory by Paloalto (from July 2019) was only published because external security researchers also found this vulnerability ...

  • 4343 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!