11-14-2025 05:15 AM
1) Version Clarification
Is PAN-OS 11.2.x (specifically 11.2.4-h1) affected by CVE-2023-48795 (Terrapin SSH Attack)? The advisory lists up to 11.1.x but does not mention 11.2.x.
2) Mitigation Confirmation
If 11.2.x is affected, does disabling chacha20-poly1305and Encrypt-then-MAC algorithms fully mitigate the risk, or is an upgrade required?
3) Hotfix Details
Does the hotfix version 11.2.4-h1 include the patch for CVE-2023-48795, or do we need to move to 11.2.4-h4 or later?4) Future Advisory Updates
Will Palo Alto update the official advisory to include PAN-OS 11.2.x status for CVE-2023-48795?
5) Best Practice
What is the recommended approach for customers running PAN-OS 11.2.x regarding Terrapin SSH vulnerability—upgrade path or configuration hardening?
11-14-2025 05:42 AM
according to https://security.paloaltonetworks.com/CVE-2023-48795
1) 11.2 is not affected
2) 11.2 is not affected so no mitigation required
3) it looks like this issue was either fully addressed by the time 11.2.0 came into GA hence the whole train is not affected, or a library causing this vulnerability in previous versions is not present in 11.2
4) according to the article, 11.2.0 is already unaffected, so later versions will also be unaffected. relapse to vulnerability in 11.2 would have been documented as such
5) if you believe the above information is incorrect, please open a support case for an authoritative answer from a source inside palo alto
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
