Prisma Cloud vulnerability feed

Information on threat intelligence and vulnerability data on Prisma Cloud is available through the Prisma Cloud Intelligence Stream(IS) feed.

Pre-filled CVEs

On Prisma Cloud you may find vulnerabilities with a CVE identifier that neither MITRE nor NVD is reporting or is actively analysing. A pre-filled CVE is the result of analysis conducted by Palo Alto Networks Unit 42 researchers. The researchers manually review the details of each vulnerability, identify the correct range of affected releases and deliver the data to IS.
Many vulnerabilities in open-source software are assigned with a CVE ID and promptly analyzed by NVD and Linux distribution vendors. However, some vulnerabilities take a long time to be analyzed, sometimes weeks or even months. Having a CVE but no analysis means users have no information on the severity, affected releases, or description of the vulnerability amd therby making it impossible to defend against these vulnerabilities.
Let’s examine an example scenario. Security researchers find a vulnerability in an open source project. The vulnerability details are publicly discussed in the project’s bug tracker, e.g. in a GitHub issue. Following the discussion, the issue is fixed and a CVE ID is assigned to the issue. At this stage, NVD analysis takes place, and it may take multiple days for the NVD site to be updated with description and the affected releases range (CPE). Instead of waiting for the official analysis to complete, our researchers evaluate the vulnerability and insert the data into Prisma Cloud feeds quickly, preventing any delay in remediation of the vulnerability. When the NVD entry is fully updated, Prisma Cloud uses the official data from NVD.


You may also find vulnerabilities marked with a PRISMA-* identifier. These vulnerabilities lack a CVE ID. Many vulnerabilities are publicly discussed or patched without a CVE ever being assigned to them. While monitoring open source vulnerabilities, our team identifies vulnerabilities you need to be aware of, and assigns PRISMA IDs to them whenever applicable.
For example, let’s review PRISMA-2021-0020. A user found a bug in the Python package click and opened an issue through its open source repository in GitHub. Our research team found this issue and determined it explains a valid security vulnerability. Although no CVE was assigned to this vulnerability, our team promptly assigned it a PRISMA identifier, and analyzed the correct range of affected releases. Affected customers were alerted to this vulnerability despite the lack of any public vulnerability identifier. If a CVE is ever assigned to a same vulnerability that has a Prisma ID, the CVE takes over and the PRISMA ID entry is fully replaced. Read more about the correlation between PRISMA IDs and CVEs in this blog post.
The following diagram shows the PRISMA ID and Pre-filled CVEs assignment flow:

PRISMA-* ID Syntax

PRISMA ID syntax consists of the PRISMA prefix, year of release and a sequence of four digits. For example, "PRISMA-2020-1234". This format is intentionally similar to that used by CVE IDs. There is absolutely no correlation between the sequence used for PRISMA IDs to that of CVEs released the same year. There is also no grouping of PRISMA IDs. That is, there is no correlation between adjacent PRISMA ID sequences.

Investigating PRISMA-* Vulnerabilities

The vulnerability description includes the necessary information required to understand the vulnerability. The severity is carefully determined by our team based on CVSS scoring. You may also access the ID link to find the original source that resulted in the assignment of the PRISMA ID. This will likely be an external advisory, a GitHub (or other bug tracker) issue, or it may directly lead you to the fix commit (pull request) when there is no correlating informational page.

Prisma ID FAQs

  • Why use PRISMA-IDs?
    We are committed to ensuring that the Prisma Cloud Intelligence Stream provides the most accurate and up to date vulnerability information.
    Through the Intelligence Stream, Prisma Cloud should be able to alert on any relevant vulnerabilities that exist in scanned environments, regardless of having a CVE or not. Our researchers monitor open-source code repositories continuously in an effort to detect publicly known vulnerabilities that are not tracked under a CVE record. Upon finding such a vulnerability, the researchers complete a full analysis of the vulnerability including assessing its severity and describing its impact, and finally assign a PRISMA ID to. The Intelligence Stream is shortly thereafter updated with the new entry, and users immediately benefit from the detection of the vulnerability by Prisma Cloud.
    This process allows Prisma Cloud users to be better informed and secure from vulnerabilities that are otherwise not detected by regular vulnerability management tools.
  • Why not wait for a CVE-ID?
    Although most vulnerabilities in open-source are assigned CVEs quickly after being discovered,