Hello Paloalto Team
Last thursday you published the securityadvisory for a critical RCE vulnerability and today you notified the customers again with an "Action recommended" article here: https://live.paloaltonetworks.com/t5/Customer-Advisories/Action-Recommended-Recent-Security-Advisory...
In this article you write about that even if this vulnerability has been patched a while ago there are still customers that are running a vulnerable version. Did you really expect something else when you try to keep a critical vulnerability secret for more than a year? I mean, good that you found it and released a fix for it but even with internal discoveries you need to go public with it - obviously this is my personal opinion. This is the fault of Paloalto that many customers are exposed to a critical RCE vulnerability for more than a year. It probably would still be a secret if not someone else found this RCE, so you were forced to go public.
Probably some hard words but for a security company like Paloalto this was disappointing. No one is expecting perfect software. Everyone knows there are bugs and vulnerabilities. But specially with vulnerabilities there is a right and a wrong way to deal with. So now you have to live with the criticism of the security community ...
Here are the release dates of the PAN-OS versions where this vulnerability was fixed:
8.1.3 --> 08/13/2018
8.0.12 --> 08/09/2018
7.1.19 --> 07/28/2018
Luckily(/hopefully) it was not publicly known, but because Paloalto has released fixed versions one year ago, this means the company knew about this critical vulnerability ... and the security advisory by Paloalto (from July 2019) was only published because external security researchers also found this vulnerability ...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!